Interactive Locking, Zero-Knowledge PCPS, and Unconditional Cryptography

Interactive Locking, Zero-Knowledge PCPs,
and Unconditional Cryptography

Vipul Goyal
Yuval Ishai
Mohammad Mahmoody
Amit Sahai
March 10, 2011

Abstract
Motivated by the question of basing cryptographic protocols on stateless tamper-proof hard-
ware tokens, we revisit the question of unconditional two-prover zero-knowledge proofs for NP.
We show that such protocols exist in the interactive PCP model of Kalai and Raz (ICALP 08),
where one of the provers is replaced by a PCP oracle. This strengthens the feasibility result of
Ben-Or, Goldwasser, Kilian, and Wigderson (STOC 88) which requires two stateful provers. In
contrast to previous zero-knowledge PCPs of Kilian, Petrank, and Tardos (STOC 97), in our
protocol both the prover and the PCP oracle are ecient given an NP witness.
Our main technical tool is a new primitive that we call interactive locking, an ecient
realization of an unconditionally secure commitment scheme in the interactive PCP model. We
implement interactive locking by adapting previous constructions of interactive hashing protocols
to our setting, and also provide a direct construction which uses a minimal amount of interaction
and improves over our interactive hashing based constructions.
Finally, we apply the above results towards showing the feasibility of basing unconditional
cryptography on stateless tamper-proof hardware tokens, and obtain the following results:
We show that if tokens can be used to encapsulate other tokens, then there exist uncondi-
tional and statistically secure (in fact, UC secure) protocols for general secure computation.
Even if token encapsulation is not possible, there are unconditional and statistically secure
commitment protocols and zero-knowledge proofs for NP.
Finally, if token encapsulation is not possible, then no protocol can realize statistically
secure oblivious transfer.
Keywords: Cryptography, Statistical Security, Zero Knowledge, Interactive Proof, Interactive
PCP, Commitment Scheme, Oblivious Transfer, Interactive Hashing
Microsoft Research, India, vipul@microsoft.com
Technion and UCLA, yuvali@cs.technion.ac.il. Supported in part by ISF grant 1310/06, BSF grants 2004361,
2008411, and NSF grants 0716835, 0716389, 0830803, 0916574.
Princeton University, mohammad@cs.princeton.edu. Supported by NSF grants CNS-0627526, CCF-0426582 and

CCF-0832797.
UCLA, sahai@cs.ucla.edu.
1 Introduction
What is the minimal amount of trust required for unconditionally secure cryptography? Uncon-
ditional cryptography can be based on trusted two-party functionalities such as oblivious trans-
fer [Rab81, Kil88] or noisy channels [CK88], on bounded storage assumptions [Mau92], on the
presence of an honest majority [BGW88, CCD88, RB89], or even on the presence of a dishonest
majority of non-communicating parties [BGKW88]. More recently, there has been a considerable
amount of work on cryptographic protocols in which parties can generate and exchange tamper-
proof hardware tokens. In this model it was shown that unconditionally secure commitments [MS08]
or even general secure two-party computation [GIS
+
10] are possible, provided that the tokens can
be stateful. In particular, stateful tokens can erase their secrets after being invoked. The present
work is motivated by the goal of establishing unconditional feasibility results for cryptography us-
ing stateless hardware tokens. This question turns out to be related to the classical question of
unconditional multi-prover zero-knowledge proofs, which we revisit in this work. We start with
some relevant background.
1.1 Multi-Prover Zero-Knowledge
Since the introduction of zero-knowledge proofs in the seminal work of Goldwasser, Micali, and
Racko [GMR89], a large body of work has been devoted to understanding the capabilities and
limitations of such proofs. A particularly successful line of research studied the power of statis-
tical zero-knowledge (SZK) proofs ones which guarantee that even computationally unbounded
veriers can learn nothing from the interaction with the prover. In contrast to computational zero-
knowledge proofs [GMW91], a major limitation of SZK proofs which restricts their usefulness in
cryptography is that they seem unlikely to cover the entire class of NP [For89, AH91]. The related
goal of obtaining any kind of unconditional zero-knowledge proofs for NP, which do not rely on
unproven intractability assumptions, seems as unlikely to be achieved (cf. [OW93]) at least until
the elusive P vs. NP question is resolved.
Motivated by the above goals, Ben-Or, Goldwasser, Kilian, and Wigderson [BGKW88] intro-
duced in 1988 the model of multi-prover interactive proofs (MIPs), a natural extension of the
standard model of interactive proofs which allows the verier to interact with two or more non-
communicating provers. The main result of [BGKW88] is an unconditional two-prover SZK proof
for any language in NP (see [LS95, BFL90, DFK
+
92] for subsequent improvements). A direct
cryptographic application suggested in [BGKW88] is that of proving ones identity using a pair of
bank cards. We will further discuss these types of applications later.
In a very surprising turn of events, the initial work on zero-knowledge in the MIP model led to
a rapid sequence of developments that have literally transformed the theory of computer science.
This line of research culminated in the rst proof of the PCP Theorem [AS98, ALM
+
98].
The notion of probabilistically checkable proofs (PCPs) is very relevant to our work. In 1988,
Fortnow, Rompel, and Sipser [FRS88] suggested an alternative model for MIPs in which multiple
provers are replaced by a single oracle, subsequently called a PCP oracle or just a PCP. The
dierence between an oracle and a prover is that an oracle, like a classical proof, cannot keep an
internal state. When a prover is asked multiple queries, the answer to each query can depend on all
previous queries, whereas the answer of an oracle to each query must depend on that query alone.
The latter dierence makes soundness against PCP oracles easier to achieve than soundness against
provers, which explains the extra power of PCPs over traditional interactive proofs. However,
1
as already observed in [BGKW88], the zero-knowledge property becomes harder to achieve when
converting provers into oracles because oracles have no control over the number of queries made by
a dishonest verier. In particular, if the verier may query the entire domain of the oracle (as in
the case of traditional polynomial-length PCPs) then the oracle can no longer hide any secrets.
The question of replacing zero-knowledge provers by stateless oracles is motivated by practical
scenarios in which veriers can reset provers to their initial state, say by cutting o their power
supply. (Note that similarly to zero-knowledge provers, zero-knowledge PCP oracles should be
randomized in the sense that their answer depends both on the query and on a secret source of
randomness which is picked once and for all when the oracle is initialized.) This motivation led
to a recent line of work on resettable zero-knowledge, initiated by Canetti, Goldreich, Goldwasser,
and Micali [CGGM00]. The main results from [CGGM00] show that, under standard cryptographic
assumptions, there exist resettable (computational) zero-knowledge proofs for NP. However, results
along this line do not seem relevant to the case of unconditional (and statistical) zero-knowledge
proofs, which are the focus of the present work.
Zero-knowledge PCPs. The question of unconditional zero-knowledge PCPs was studied by
Kilian, Petrank and Tardos [KPT97] (improving over previous results implicit in [DFK
+
92]). Specif-
ically, it is shown in [KPT97] that any language in NEXP admits a proof system with a single
PCP which is statistical zero-knowledge against veriers that can make any polynomial number
of PCP queries (but are otherwise computationally unbounded). However, as expected from proof
systems for NEXP, the answers of the PCP oracle cannot be computed in polynomial time. This
still leaves hope for scaling down the result to NP and making the PCP oracle ecient given an
NP witness. Unfortunately, such a scaled down version presented in [KPT97] has the undesirable
side eect of scaling down the zero-knowledge property as well, eectively restricting the number
of queries made by a cheating verier to be much smaller than the (xed polynomial) entropy of
the oracle. Thus, compared to typical feasibility results in cryptography, the results of [KPT97] for
NP require us to either make an unreasonable assumption about the computational capability of
the (stateless) prover, or to make an unreasonable assumption about the limitations of a cheating
verier.
Interactive PCPs. The above state of aairs motivates us to consider the Interactive PCP
(IPCP) model, which was recently put forward by Kalai and Raz [KR08] and further studied
in [GKR08b]. This model can be seen as lying in between the pure PCP model and the pure MIP
model, thus aiding us in our quest for a minimal model for ecient unconditional zero-knowledge
proofs for NP. In the IPCP model there is one interactive prover as in the MIP model and one
PCP as in the PCP model. The study of IPCPs in [KR08] was motivated by the eciency goal of
allowing shorter PCPs for certain NP languages than in the traditional PCP model, at the price of
a small amount of interaction with a prover. In contrast, our use of the IPCP model is motivated by
the feasibility goal of obtaining unconditional zero-knowledge proofs for NP with polynomial-time
prover and PCP oracle. Another dierence is that while in the context of [KR08] a PCP is at least
as helpful as a prover, the zero-knowledge property we consider is harder to satisfy with a PCP
oracle than with a prover (as discussed above). The IPCP model can be made strictly stronger
than the MIP model by requiring soundness to hold also with respect to stateful PCP oracles. We
tackle this stronger variant as well, but we stick to the basic IPCP model by default.
To meaningfully capture zero-knowledge proofs with polynomial-time provers in the IPCP
2
model, we extend the original IPCP model from [KR08] in two natural ways. First, we allow
the PCP to be randomized. Concretely, we assume that both the prover and the PCP are imple-
mented by polynomial-time algorithms with three common inputs: an instance x, a witness w, and
a random input r. (This is analogous to earlier models for ecient multi-prover zero-knowledge
proofs for NP.) The length of both w and r is polynomial in [x[. Second, as discussed above, in
order to allow the PCP oracle to hide secrets from the verier we need to use PCP oracles with a
super-polynomial query domain, and we restrict cheating veriers to make (an arbitrary) polyno-
mial number of queries to the oracle, but otherwise allow them to be computationally unbounded.
Note, however, that in contrast to the solutions from [KPT97] we cannot use PCP oracles with a
super-polynomial entropy since we want our PCP to be eciently implementable.
This gives rise to the following feasibility question:
Are there (ecient-prover) statistical zero-knowledge proofs for NP in the interactive
PCP model?
1.2 Our Results
We answer the above question armatively, presenting an unconditional SZK proof for NP in the
interactive PCP model with ecient prover and PCP oracle. Zero-knowledge holds against cheating
veriers which can make any polynomial (in fact, even sub-exponential) number of PCP queries,
but are otherwise computationally unbounded. Our protocol can be implemented in a constant
number of rounds. We also show how to get a similar protocol (with a non-constant number of
rounds) in the stronger variant of the IPCP model in which a cheating PCP oracle may be stateful,
thus strengthening the previous feasibility result from [BGKW88].
Interactive locking. The main technical tool we use to obtain the above results (as well as
additional applications discussed below) is a new primitive which we call an interactive locking
scheme (ILS). This primitive extends in a natural way the notion of non-interactive locking schemes
which were dened and implemented in [KPT97]. The original locking primitive can be viewed as
a PCP-based implementation of a non-interactive commitment with statistical hiding and binding.
Roughly speaking, a locking scheme is an oracle which hides a secret that can later be revealed to
the receiver by sending it a decommitment key. Given access to the oracle alone, it is hard for the
receiver to learn anything about the secret. However, it is easy for the receiver to become convinced
that at most one secret can be successfully decommitted even when the oracle is badly formed.
The locking scheme from [KPT97] requires the oracle to have bigger entropy than the number
of queries against which the hiding property should hold. We prove the intuitive fact that such
a limitation is inherent, and therefore there is no ecient-oracle non-interactive locking scheme
which resists an arbitrary polynomial number of queries. This is because intuitively if the entropy
of the oracle is bounded, then either: (1) the receiver is able to learn all the entropy by making a
polynomial number of queries, and therefore break the hiding property; or (2) if some entropy is
hidden no matter what queries the receiver makes, then a cheating sender is able to create a fake
oracle that can cheat on this entropy and therefore be opened to any value, breaking the binding
property.
This motivates our notion of an interactive locking scheme. An ILS is a locking scheme in the
IPCP model: the commitment phase can involve, in addition to oracle queries by the receiver,
interaction with the sender from whom the secret originated. Here the sender and the oracle play
3
the roles of the prover and PCP oracle in the IPCP model, respectively. Decommitment still
involves a single message from the sender to the receiver. Somewhat surprisingly (and counter to
our own initial intuition), we show that interaction can be used to disrupt the intuitive argument
above.
We present several constructions of ecient interactive locking schemes. We show how to obtain
such schemes from interactive hashing a primitive which was introduced by Naor, Ostrovsky,
Venkatesan, and Yung [NOVY98] for the purpose of constructing statistically hiding and computa-
tionally binding commitment schemes from any one-way permutation (see also [OVY93a, DHRS04,
HR07]). The high level idea of the transformation from interactive hashing to ILS is to imple-
ment a one-way permutation by an oracle which contains a random point function (i.e., a function
that outputs 0 on all but one random point). To ensure the binding property even when the oracle
is badly formed, the receiver should query the oracle on a small number random points to verify
that it is not too far from a point function. The (black-box) proof of security of the interactive
hashing protocol implies (unconditional) proof of security for the ILS.
The above connection allows us to use interactive hashing protocols from the literature for
obtaining interactive locking schemes, but leaves open the question of minimizing the amount of
interaction with the sender. We resolve this question by presenting a novel direct construction of
ILS which requires only a single round of interaction with the sender.
The high level idea behind our single round ILS is as follows. The oracle constructed by the
sender will be the zero function over 0, 1
n
except for an interval of size 2
cn
. That is, (x) = 1
for a x a + 2
cn
and (x) = 0 elsewhere. Depending on whether the sender commits to zero
or one, the interval will be planted in the rst or second half of the oracle . The position a of
the interval will be revealed to the receiver in the decommitment phase. When c < 1, the interval
size 2
cn
will be small enough to prevent the receiver from nding the committed bit during the
commitment phase. But now the sender is able to cheat by planting intervals in both the rst
and second half of . To guarantee binding, we let the receiver ask a challenge question about
the interval in such a way that the sender cannot nd a pair of planted intervals in the rst and
second half of with the same challenge answer. A natural idea is to use a pairwise independent
function h: 0, 1
n
0, 1
dn
and ask the sender to reveal h(a). The sender is able to plant at
most 2
(1c)n
separate intervals in each half of . Each of the intervals in the rst and second half
of will have the same hashes with probability 2
dn
. Therefore if 2(1 c) < d, then with high
probability over the choice of h the sender is not able to nd two intervals with the same hash
value h(a) and thus gets committed to a xed bit. But now the information revealed by h(a) might
help the receiver nd a non-zero point in and break the hiding property. We show how to modify
the a known construction of pairwise independent hash functions to get another function which is
still almost pairwise independent but has the additional property that the preimages of any hash
value are scattered in the domain of the hash function. The latter property prevents the receiver
from taking advantage of the knowledge of h(a) to nd where the interval is planted. Using this
approach we simultaneously guarantee binding and hiding.
Cryptography using hardware tokens. The above study of zero-knowledge interactive PCPs
and interactive locking schemes is motivated by a recent line of research on the capabilities of
cryptographic protocols in which parties can generate tamper-proof hardware tokens and send them
to each other. Katz [Kat07] shows that, under computational assumptions, general universally
composable (UC) secure two-party computation [Can01] is possible in this model if the tokens
4
are allowed to be stateful, and in particular can erase their secrets after being invoked. It was
subsequently shown that even unconditional security is possible in this model, rst for the case
of commitment [MS08] and then for general tasks [GIS
+
10]. See [GO96, GKR08a, HL08] and
references therein for other applications of stateful tokens in cryptography.
Obtaining similar results using stateless tokens turns out to be more challenging. Part of the
diculty stems from the fact that there is no guarantee on the functionality of tokens generated
by malicious parties they may compute arbitrary functions of their inputs and may even carry
state information from one invocation to another. It was recently shown in [GIS
+
10], improving
on [CGS08], that any one-way function can be used for basing (computationally) UC-secure two-
party computation on stateless tokens. More practical protocols which satisfy weaker notions
of security were given in [Kol10]. These works leave open the question of obtaining a similar
result unconditionally, and with statistical security. (To get around impossibility results in the
plain model, the number of queries to a token should be polynomially bounded, but otherwise
malicious parties may be computationally unbounded.) In fact, the constructions from [CGS08,
GIS
+
10, Kol10] may lead to a natural conjecture that achieving statistical security in this setting
is impossible, since in these constructions all the useful information contained in tokens can be
learned by a computationally unbounded adversary using a polynomial number of queries.
However, similar to the case of ILS discussed above, the combination of stateless tokens and
interaction turns out to be surprisingly powerful. As already alluded to in [BGKW88], MIP proto-
cols can naturally give rise to protocols in the hardware token model. In our case, we implement
the ILS (or IPCP) by having a single sender (prover) create a stateless tamper-proof hardware
token which implements the PCP oracle and send it to the receiver (verier). Applying this to our
results, this directly gives rise to the rst unconditionally secure commitment protocols and SZK
proofs for NP using stateless tokens.
We show how this can be extended to general unconditionally secure (in fact, UC-secure) two-
party computation if parties are allowed to build tokens which encapsulate other tokens: namely,
the receiver of a token A is allowed to build another token B which internally invokes A. The
high level idea is the following. By the completeness of oblivious transfer (OT) [Kil88, IPS08], it
suces to realize OT using stateless tokens. This is done as follows. The OT senders input is a
pair of strings (s
0
, s
1
) and the OT receivers input is a selection bit b. The OT receiver commits
b using an ILS. Applying our best construction, this involves sending a token A to the OT sender
and responding to a random challenge message received from the OT sender. The OT sender now
prepares and sends to the receiver a token B with the following functionality. Token B accepts a
selection bit b along with a corresponding decommitment message. It checks that the decommitment
is valid (this involves invocations of the token A, which token B encapsulates) and then returns
the string s
b
if decommitment was successful. The binding property of the ILS guarantees that the
OT receiver can learn at most one string s
b
. The hiding property of the ILS guarantees that the
sender cannot learn b.
Interestingly, we also show a matching negative result: if token encapsulation is not allowed,
then statistically secure OT is impossible. This holds even if both parties are guaranteed to follow
the protocol except for making additional queries to tokens in order to learn information about the
other partys input. The proof of this negative result employs the recent notion of accessible entropy
from [HRVW09] and has the following high level intuition. One way to explain why statistical OT is
not possible in the standard model (i.e., without tokens) is that at any time during the interaction
a computationally unbounded party (e.g., the OT receiver R) is able to sample from the space of
5
its randomness r
R
conditioned on what the other party (i.e., the OT sender S) knows about Rs
computation. The latter information is captured by the transcript of the protocol. Therefore if at
the end of the interaction the distribution of r
R
conditioned on is not revealing the receivers bit
b, the receiver can sample from (r
R
[ ) and nd out both of the strings (s
0
, s
1
). If such sampling
is done eciently, the protocol is said to have accessible entropy [HRVW09]. In the token model,
however, the exchanged information is not symmetric and Bob might not know which queries Alice
has asked from Bobs tokens. Similarly to the standard model, we dene a protocol (A, B) in the
token model to have accessible entropy if the parties can (information theoretically) sample their
history of computation so far only conditioned on the other partys view. Similarly to the standard
model, accessing the entropy of a protocol for OT in the token model can be used to break its
security for the benet of either of the parties. We prove the following technical lemma: For any
protocol (A, B) in the stateless token model, there is another protocol (A
t
, B
t
) with the following
properties. (1) the parties in (A
t
, B
t
) emulate the original protocol (A, B). Namely A
t
honestly
runs an instance of A in its belly and similarly B
t
does so for an instance of B. (2) Other than
emulating (A, B), A
t
and B
t
are also allowed to learn more information about the tokens they
hold by asking token queries that might not be specied by (A, B). (3) (A
t
, B
t
) is still restricted
to asking at most poly(n) number of queries from the tokens totally. (4) Finally, almost all the
entropy of the interactive algorithms A
t
and B
t
in the protocol (A
t
, B
t
) is accessible. This lemma,
together with the necessity of inaccessible entropy for the possibility of OT, proves that statistical
OT does not exist in the stateless token world.
Organization. In Section 2, we dene the notions of zero-knowledge IPCPs and ILS, and show
how to use ILS to build unconditional zero-knowledge IPCPs for NP. We also show that interaction
is required for ecient ILS. In Section 3, we show how to construct ILS. In Section 6, we show
the implications of our work on (unconditionally secure) cryptography with tamper-proof hardware
tokens.
2 Preliminaries
2.1 Basics about Probabilities
By sup(X) we mean the support set of the random variable X. By x X we mean the process
of sampling x according to the distribution of the random variable X. By (X [ Y ) we denote the
random variable X conditioned on the random variable Y .
Denition 2.1. For the random variables X and Y dened over the set U (i.e. sup(X)
sup(Y )
U) we let SD(X, Y ) denote their statistical distance dened as: SD(X, Y ) = max
EU
[ Pr[X
E] Pr[Y E][. We also use X
Y and call X and Y -close whenever SD(X, Y ) .

It can be veried that the the statistical distance is the maximum advantage by which a statisti-
cal test (i.e., an algorithm A which outputs in 0, 1) can distinguish between two random variables
X and Y : SD(X, Y ) = max
A
[ Pr[A(X) = 1] Pr[A(Y ) = 1][. Also, the triangle inequality holds
for the statistical distance: SD(X, Y ) + SD(Y, Z) SD(X, Z).
Lemma 2.2. Let X = (X
1
, X
2
) and Y = (Y
1
, Y
2
) be random variables dened over the set U
1
U
2
and suppose SD(X, Y ) . Let Z = (Z
1
, Z
2
) be the random variable dened over U
1
U
2
as
follows: Z
1
is sampled according to X
1
(dened by the distribution of X), and then Z
2
is sampled
6
according to (Y
2
[ Y
1
) conditioned on Z
1
= Y
1
. Then it holds that SD(Y, Z) and therefore by
the triangle inequality SD(X, Z) 2.
Proof. Let SD(Y, Z) and let A be the algorithm that distinguishes between Y and Z with
advantage . Then one can distinguish between X and Y with advantage more than as well
by the following algorithm. Given the input W = (W
1
, W
2
) (which is either sampled according
to X or Y ) we take the rst component W
1
and sample Y
2
conditioned on Y
1
= W
1
according to
the distribution of Y . We then apply the test A over (W
1
, Y
2
). It is easy to see that the new test
distinguishes between Y and X as well as A does between Y and Z.
Lemma 2.3 (Lemma 6.4 of [IR89]). Let Z
1
, . . . , Z
i
, . . . be any sequence of random variables deter-
mined by a nite underlying random variable X, let E be any event for random variable X, and let
0 p 1. Let B
j
be the event that Pr
X
[E(X) [ Z
1
, . . . , Z
j
] p, and let B =
j
B
j
. Then it holds
that Pr
X
[E[X] [ B] p.
2.2 Interactive Algorithms
We assume that the reader is familiar with the notion of interactive Turing Machines introduced
in [GMR89] which here we call interactive algorithms. An interactive protocol is dened by two
interactive algorithms A and B where each of A and B may have its own private input, private
random tape, and output. By 'A, B`(x) we denote the output of B when A and B interact on
the common input x. We take the output 1 to denote an accept and the output 0 to denote a
reject. When x is clear from the context we might omit it from the notation (e.g., letting 'A, B`
denote 'A, B`(x)).
By an ecient algorithm we mean one which runs in polynomial time over its input length.
We do not assume the interactive algorithms to be necessarily ecient unless explicitly mentioned.
We always let n denote the length of the input x which will also serve as the security parameter
when A and B are ecient.
A round consists of a message from A followed by another message from B assuming that A
starts the protocol. The round complexity of the protocol (A, B) is the maximum number of rounds
that A and B interact as a function of the input length n.
The view of an interactive algorithm consists of its input, its randomness and the answers
received from the other interactive algorithm participating in the protocol.
We use the notation

A to denote a possibly malicious interactive algorithm participating in a
protocol instead of the honest interactive algorithm A.
Although one of the main applications of the interactive protocols is to use them as a proof
system [GMR89], here we dene their basic properties in a more abstract level so that we can use
them in the next section in the extended model of Interactive PCPs.
Denition 2.4 (Properties of interactive protocols). Let (P, V ) be an interactive protocol com-
posed of a prover P and a verier V . We dene the following properties for (P, V ).
Soundness: (P, V ) is (1 )-sound for the input x, if for every prover

P it holds that
Pr['
P, V `(x) = 1] .
Statistical zero-knowledge (SZK): (P, V ) is (n)-SZK for the language L if there is a simu-
lator Sim that gets oracle access
1
to an arbitrary (unbounded) verier
V , runs in time poly(n),

1
All the zero-knowledge constructions in this paper use black-box simulators.
7
and if x L then Sim
V
produces a view for
V which is (n)-close to the view of
V when inter-
acting with P on the input x. A query q
sim
= (r
V
, a
1
, . . . , a
i
) of the simulator Sim to the oracle
V consists of the randomness r

V
for

V and a set of rst i messages of the prover a
1
, . . . , a
k
to
the verier. The answer a
ver
= (q
1
, . . . , q
i+1
) returned by the oracle
V consists of the rst i+1

messages of the verier

V when r
V
is used as the randomness and a
1
, . . . , a
k
are received from
the prover. Thus the simulator Sim, in general, can rewind
V by asking queries of the form

q
sim
= (r
V
, a
1
, . . . , a
i
) and q
t
sim
= (r
V
, a
1
, . . . , a
i1
, a
t
i
). The simulator Sim is called straight-
line if its queries are of the following incremental form: (r
V
), (r
V
, a
1
), . . . , (r
V
, a
1
, . . . , a
i
)
and the output of Sim
V
is the last query of Sim: (r
V
, a
1
, . . . , a
j
). It is easier to think of a
straight-line simulator as an interactive algorithm which simply interacts with the verier

V
and outputs the view of

V in this interaction.
Note that the soundness is only a property of the verier V while zero-knowledge is only a
property of the prover P.
Inecient veriers with large randomness. To prove the zero-knowledge for inecient ver-
iers

V with super-polynomially long randomness, we slightly change the simulators behavior
of Denition 2.4 as follows. We let the oracle

V to choose the randomness r
V
uniformly at
random (hidden from the simulator) and the simulators queries would only consist of provers
messages q
sim
= (a
1
, . . . , a
i
). Also the simulators output will be the last query of the simulator
q
sim
= (a
1
, . . . , a
j
) joint with the randomness r
V
chosen by the verier (and yet (r
V
, a
1
, . . . , a
j
)
should be -close to the view of

V when interacting with P). All of our simulators in this paper
will be of this form to let us handling arbitrarily inecient veriers.
Denition 2.5 (Composition of interactive protocols). Let (P
1
, V
1
), . . . , (P
k
, V
k
) be k interactive
protocols. By (P
seq
, V
seq
) we mean the sequential composition of (P
1
, V
1
), . . . , (P
k
, V
k
) dened as
follows.
Let x be the common input.
V
seq
uses independent random coins r
V
1
, . . . , r
V
k
for V
1
, . . . , V
k
and P
seq
uses independent coins
r
P
1
, . . . , r
P
k
for P
1
, . . . , P
k
.
P
seq
and V
seq
rst interact according to the protocol (P
1
, V
1
) over the input x, and after that
interact according to the protocol (P
2
, V
2
) (over the asme input x) and so on.
At the end V
seq
rejects if any of V
i
s reject.
By (P
par
, V
par
) we mean the parallel composition of (P
1
, V
1
), . . . , (P
k
, V
k
), which is dened sim-
ilar to (P
seq
, V
seq
) with the dierence that V
1
, . . . , V
k
interact with the prover P
par
in a round-
synchronized way. Namely in the jth round of the interaction, V
par
sends the queries q
j
1
, . . . , q
j
k
to
the prover P
par
where q
j
i
is the jth query of V
i
(and q
j
i
= if V
j
s interaction nishes before the
jth round). Then V
seq
receives k answers a
j
1
, . . . , a
j
k
and V
i
uses a
i
as its answer to continue its
execution.
2
2
To dene the parallel composition, we do not necessarily assume (P1, V1), . . . , (P
k
, V
k
) to have equal round com-
plexity, and the round complexity of (Ppar, Vpar) will be the maximum of the round complexity of (P1, V1), . . . , (P
k
, V
k
).
8
Both (P
seq
, V
seq
) and (P
par
, V
par
) are special cases of concurrent composition (P
con
, V
con
) in which
the verier runs V
1
, . . . , V
k
and the prover runs P
1
, . . . , P
k
in a way that V
i
will be interacting with
P
i
in the ith sessions. There is not any round synchronization enforced across dierent sessions.
The honest verier V
con
will send the next query q
j
i
(i.e. the jth query of V
i
) when she receives the
answer a
j1
i
from P
i
in the ith session, but a cheating verier

V
con
might delay sending such query
to gather more answers in dierent sessions before continuing. On the other hand the honest prover
P
con
will send the answer a
j
i
back whenever he receives the query q
j
i
from V
con
, but a cheating prover
P
con
might delay sending such answer to gather more queries in dierent sessions before continuing.
By using simple delay policies, both the prover and the verier (when the other party is hon-
est) are able to force a concurrent composition to behave like a parallel or sequential composition.
The inputs in composed protocols. In all variants of compositions dened above (including
the concurrent composition), the same input x is used in all the sub-protocols. More general
denitions of concurrent composition allow dierent inputs to be used in dierent instances of the
protocol, but our denition still generalizes the parallel and sequential denitions and is enough
for our purposes. Moreover, the properties of the concurrent composition described in Lemma 2.13
below (in particular the SZK property) hold in the more general form of concurrent composition
with dierent inputs (as long the inputs are xed at the beginning of the execution of the system.)
Lemma 2.6 (Properties of composition of interactive protocols). Let (P
1
, V
1
), . . . (P
k
, V
k
) be k in-
teractive protocols, and let (P
seq
, V
seq
), (P
par
, V
par
), (P
con
, V
con
) be, in order, their sequential, parallel,
and concurrent compositions. It holds that:
1. Soundness [BM88]: If (P
i
, V
i
) is (1
i
)-sound over the input x for all i [k], then
(P
con
, V
con
) (and in particular (P
seq
, V
seq
) and (P
par
, V
par
)) will have soundness 1
i
.
2. SZK [KLR06]: If (P
i
, V
i
) is
i
-SZK for the language L with a straight-line simulator for all
i [k], then (P
con
, V
con
) (and in particular (P
seq
, V
seq
) and (P
par
, V
seq
)) will be (
i
)-SZK
for L with a straight-line simulator.
Part 1 of Lemma 2.6 is proved in [BM88] for the case of parallel composition, but the proof
extends to the concurrent composition as well. The proof of Part 2 of Lemma 2.13 follows by a
standard hybrid argument similar to the proof of Part 2 in Lemma 2.17 below.
2.3 Oracle Algorithms
We use the standard notation A
to denote an oracle algorithm A accessing the oracle . For the

oracles
1
, . . . ,
k
, by = (
1
[ . . . [
k
) we mean their combined oracle dened as follows: Given the
query (i, q), answers as (i, q) =
i
(q). We allow an oracle algorithm A
to ask multiple oracle

queries from in one round of queries.
By a malicious stateful oracle we mean an interactive algorithm whose honest behavior is
like an oracle. In other words, given a round of queries q
1
, . . . , q
k
, returns (q
1
), . . . , (q
k
), but
a malicious stateful oracle accessed by the oracle-algorithm A can respond the queries similar to
a malicious interactive algorithm interacting with A. That is, s answer to a query q can depend
on the common input x, or the previous queries of A asked from , or other queries being asked in
the same round as q.
9
Denition 2.7 (Parallel composition of oracle algorithms). Let A
1
1
, . . . , A
k
k
be k oracle algorithms
with access to k oracles
1
, . . . ,
k
where for all i [k] A
i
asks at most t rounds of oracle queries
from
i
. We dene A
par
par
the parallel composition of A
1
1
, . . . , A
k
k
as follows.
The oracle
par
= (
1
[ . . . [
k
) is the combined oracle of
1
, . . . ,
k
.
A
par
par
emulates A
1
1
, . . . , A
k
k
in parallel as follows. Let q be one of the queries of A
i
in its jth
round of queries to
i
. A
par
asks (i, q) from
par
in its jth round of queries and returns the
answer to A
i
.
A
par
par
rejects if any of the emulated algorithms A
1
1
, . . . , A
k
k
reject.
2.4 Interactive PCPs
Interactive PCPs (Denition 2.8 below) were rst introduced in [KR08] and combine the notion of
oracle algorithms with interactive algorithms. Similar to the previous section, here also we dene
IPCPs in a general way, not only for the purpose of a proof system, but rather as a model of
interaction consisting of interactive algorithms and a prover.
Denition 2.8. (Adapted from [KR08]) An interactive probabilistically checkable proof (IPCP)
= (P, , V ) consists of an interactive algorithm P (the prover), an oracle (the PCP oracle),
and an interactive algorithm V (the verier) such that:
P and share common randomness r
P
, and V is given the randomness r
V
.
P, , and V will be given an input x of length [x[ = n. P and may also receive a common
private input w.
3
The PCP oracle is a function of (r
P
, x, w, q) where q is a query of the verier V . Since
(r
P
, x, w) is xed at the beginning of the protocol, we might simply use (q) to denote the
answer to the query q.
P and V
engage in an interactive protocol during which V can query the PCP oracle and
at the end V accepts or rejects.
By an ecient IPCP we mean one in which the prover P, the PCP oracle , and the verier V
run in polynomial time over the input length [x[ = n.
Denition 2.9 (Properties of IPCPs). Let = (P, , V ) be an IPCP. We dene the following
properties for .
Soundness: is (1 )-sound for input x, if for every prover and oracle (
P, ) it holds that
Pr['
P, V

`(x) = 1] .
Adaptive-soundness: is (1 )-adaptively-sound for input x, if for every prover

P and
every stateful oracle it holds that Pr['
P, V

`(x) = 1] .
Statistical zero-knowledge (SZK): The SZK property is dened as an extension to the
SZK property of interactive protocols (Denition 2.4) with respect to a language L. Since all
of our simulators in this paper are straight-line, for sake of simplicity here we only describe
how to extend the denition to SZK of IPCPs for straight-line simulators.
3
For example when (P, ) are ecient and L NP, w could be a witness for x L.
10
The straight-line simulator interacts with a (potentially malicious) verier

V , while the
simulator Sim receives all the queries of the the verier (including both the queries asked
from the prover and from the oracle) and responds to them.
Since an unbounded verier can ask arbitrary number of queries from its oracle, here we
put a bound u on the number of oracle queries asked by

V . More formally we say that
is (u(n), (n))-SZK (with a straight-line simulator), if there is a simulator described as
above such that for any v u, if

V asks at most v oracle queries, then Sim runs in time
poly(n, v) and produces a view for

V which is -close to the view of

V when interacting
with (P, ).
Note that when u(n) is super-polynomial, Denition 2.10 implies the standard notion of zero-
knowledge against polynomial-time veriers.
Denition 2.10 (SZK-IPCP for languages). We say that = (P, , V ) is an SZK-IPCP for the
language L with SZK (u(n), (n)) and (adaptive) soundness 1 (n) if the following holds:
Completeness: If x L, then Pr['P, V
`(x) = 1] = 1.
(Adaptive) soundness: has (adaptive) soundness 1 if for all x L, the verier V is
(1 (n))-(adaptively)-sound. Namely for all provers

P and (stateful) oracles it holds that
Pr['
P, V

`(x) = 1] (n).
Statistical zero-knowledge (SZK): Dened according to the denition of SZK in Deni-
tion 2.9.
We simply call an SZK-IPCP for L with (adaptive) security u, if is (11/u)-(adaptively)-sound
and (u, 1/u)-SZK.
Round complexity of IPCPs. By the round complexity of an IPCP we mean the number of
rounds of interaction between the verier and the prover (and not the PCP oracle) where each
round consists of a message from the verier followed by a message from the prover. In particular,
the round i for the verier starts after the i 1th message of the prover is sent and ends when the
ith query of the verier to the prover is sent (which will be followed be a message from the prover).
Thus in each round the verier behaves like an oracle-algorithm. The reasons to only consider the
interaction with the prover as a factor in round complexity are as follows.
1. In our constructions of SZK-IPCPs, the number of rounds of oracle queries is either equal
to one (Theorem 3.1) or is bounded by the number of rounds of interaction with the prover
(Theorem 3.2). On the other hand our negative results (Part 2 of Theorem 4.1) is regardless
of number of rounds of oracle queries.
2. Regarding the application of IPCPs to the stateless hardware token model, the queries from
the PCP oracle are asked locally (as opposed to the queries from the prover which are sent
to a remote party). Therefore the number of rounds of interaction with the prover is a more
meaningful measure of the eciency of the system.
Let be an IPCP with j rounds. We can always decompose the veriers randomness into
r
V
= (r
1
V
, . . . , r
j
V
) so that for the rst i rounds only the rst i parts (r
1
V
, . . . , r
i
V
) are used by the
verier. A trivial decomposition is to let r
1
V
= r
V
and r
i
V
be the empty string for i 2, but that
might not be the natural decomposition of the randomness.
11
Denition 2.11 (Public-coin IPCPs). By a public-coin IPCP we mean an IPCP where the prover
gets to see the coin tosses of the verier all along the interactions. Namely the veriers randomness
is decomposable into r
V
= (r
1
V
, . . . , r
j
V
) such that r
i
V
is publicly reviled (to the prover) at the
beginning of round i and (r
1
V
, . . . , r
i
V
) is used by the verier in round i.
Comments about public-coin IPCPs.
As a mental experiment we can always assume that the whole randomness r
V
is chosen at
the beginning and it is only reviled part by part to the prover and is used by the verier.
Without loss of generality we can always assume that r
i
V
is the ith message of the verier
to the prover. That is because the prover knows the content of the oracle and thus can
determine the veriers query at the end of round i by only knowing (r
1
V
, . . . , r
i
V
). Despite
this fact, it might still be conceptually simpler to describe the veriers query in other ways.
Being public-coin is part of the denition of the model and it might change the soundness of
an IPCP. Namely, and IPCP might be 0.99-sound when considered as a (regular) IPCP over
an input, but only 0.01-sound when considered as public-coin IPCP.
When considering adaptive soundness (against stateful oracles), the public-coin IPCP model
is only as strong as a two-party (i.e. single prover) interactive protocol. The reason is that
the prover and the oracle both get full information about the veriers messages to both of
them and thus can play as a unied party. (For the same reason fully-public-coin multi-prover
proof systems are only a special case of single prover proof systems.)
Now we dene several forms of composition of IPCPs by extending the corresponding compo-
sitions of interactive algorithms (Denition 2.5) to the IPCP model. The new component in the
IPCP model compared to the model of interactive algorithms is the oracle. The oracle in all the
compositions of IPCPs discussed here is simply the combined oracle of the IPCPs being composed.
This way the ith emulated verier will ask its oracle queries from the ith oracle by adding a prex
i to its queries and asking them from the combined oracle.
Denition 2.12 (Composition of IPCPs). Let
1
= (P
1
,
1
, V
1
), . . . ,
k
= (P
k
,
k
, V
k
) be k IPCPs.
Let = (
1
[ . . . [
k
) be the oracle combination of
1
, . . . ,
k
, and let U
i
be the modied version
of V
i
which asks its oracle queries from rather than
i
by adding the prex i and asking (i, q)
from . We dene the sequential
seq
= (P
seq
,
seq
, V
seq
), parallel
par
= (P
par
,
par
, V
par
) and
concurrent
con
= (P
con
,
con
, V
con
) composition of
1
, . . . ,
k
, in order, as the sequential, parallel,
and concurrent composition of (P
1
, U
1
), . . . , (P
k
, U
k
) (note that
seq
=
par
=
con
= ). In case of
parallel composition the emulated veriers ask their oracles queries also in parallel. Namely, let U
j
i
denote the jth round of the oracle algorithm U
i
(i.e., after it asks its (j 1)th query and before
it asks its jth query from the prover P
i
). Similarly let V
j
par
denote the jth round of the oracle
algorithm V
par
. The oracle algorithm V
j
par
will be the parallel composition of the oracle algorithms
U
j
1
, . . . , U
j
k
according to Denition 2.7.
The denition above describes the honest behavior of the prover, oracle, and the verier in
various forms of composition. The way malicious parties can behave in such compositions is deter-
mined both by the denition of the composition and the IPCP model. In particular, although in all
forms of composition the emulated V
i
asks its oracle queries from by adding a prex i (simulating
12
the query being asked from
i
), since the oracle is accessible by the verier all along, a malicious
verier is allowed to ask any query from the oracle . Also in the case of concurrent composition,
it might be useful for a malicious stateful oracle to gather more queries from the verier before
responding to them.
Note that similar to the case of interactive algorithms, the soundness and SZK of the concurrent
composition imply those properties (with the same parameters) for the sequential and parallel
compositions.
Lemma 2.13 (Properties of composition of IPCPs). Let
1
= (P
1
,
1
, V
1
), . . . ,
k
= (P
k
,
k
, V
k
) be
k IPCPs, and let
seq
,
par
and
con
be in order their sequential, parallel, and concurrent composi-
tions. It holds that:
1. Soundness: If
i
is (1
i
)-sound for input x for all i [k], then
con
(and in particular
seq
and
par
) will have soundness 1
i
over the input x.
2. Adaptive-soundness: If
i
is (1
i
)-adaptively-sound for input x for all i [k], then
seq
will have adaptive-soundness 1
i
over the input x.
3. SZK: If (P
i
,
i
, V
i
) is (u,
i
)-SZK for the language L with a straight-line simulator for all
i [k], then
con
(and in particular
seq
and
par
) will be (u,
i
)-SZK for the language L
with a straight-line simulator.
In the case of sequential composition of interactive protocols it was not necessary for the simu-
lator to be straight-line to get Part 2 of Lemma 2.6, but as we will see in the proof of Lemma 2.13,
in the case of IPCPs since the verier is allowed to query the oracle whenever she wants, we need
the simulator to be straight-line even in the case of sequential composition.
Proof. (of Lemma 2.13)
Soundness. Let

P be an arbitrary prover and = (
1
[ . . . [
k
) an arbitrary oracle where
i
is
the oracle accessed by the emulation of V
i
in V
con
. We claim that Pr['
P, V

` = 1]
i
p
i
and the
reason is as follows. Let V
t
i
= V

i
i
be the interactive algorithm where the oracle
i
is hardwired into
the algorithm V
i
(note that V
t
i
is inherently inecient). Now the interactive algorithm V
t
= V

con
is the same as the concurrent composition of V
t
1
, . . . , V
t
k
. The crucial point is that the interactive
algorithm V
t
i
is well-dened regardless of which other interactive algorithms are run in parallel.
That is because
i
is a xed oracle and its answers only depend on the queries that V
i
is asking
from it (i.e.,
i
s answers do not change depending on other queries asked by other V
j
s). Let
t
i
= max
P
Pr['P, V
t
i
` = 1], then by the soundness hypothesis it holds that
t
i
= max
P
Pr['P, V
t
i
` = 1] max
P,
Pr['P, V
i
` = 1]
i
.
Therefore by Part 1 of Lemma 2.6, it holds that
Pr['
P, V

con
` = 1] max
P
Pr['P, V
t
` = 1]
t
i

i
.
Adaptive-soundness. Suppose the sequential executions of
1
, . . . ,
k
do not lead to a reject.
Then by the (1
i
)-adaptive-soundness of
i+1
, V
i+1
will accept with probability at most
i
regardless of what has happened in the previous interactions and even if
i+1
is stateful. Thus the
probability that all of V
i
s accept is bounded by
i
.
13
SZK. For an arbitrary IPCP = (P, , V ) let (P
u
, V ) be the interactive protocol in which P
u
answers both the queries of V from the prover P and up to u oracle queries of V asked from . If
P, and P
u
are honest, then from the point of view of a verier V who asks at most u oracle queries
there is no dierence between interacting with P
u
or (P, ). Therefore (P
u
, V ) is -SZK for any
language L (with a straight-line simulator) if and only if is (u, )-SZK for L (with a straight-line
simulator). Now by Part 2 of Lemma 2.6 and using the fact that
i
is (u,
i
)-SZK, it follows that
(P
u
i
, V
i
) is
i
-SZK for L. Let (P
u
con
, V
con
) be the concurrent composition of (P
u
i
, V
i
)s for i [k]. By
Part 2 of Lemma 2.6 (P
u
con
, V
con
) is (
i
)-SZK for L. On the other hand, if we restrict a verier
V to ask at most u queries from a combined oracle = (
1
, . . . ,
k
), the number of queries that
V can ask from the ith sub-oracle
i
(by adding the prex i to the query) is also bounded by u.
Therefore the (
i
)-SZK property of (P
u
con
, V
con
) implies that
con
is (u,
i
)-SZK for L.
We shall point out that since in the sequential composition
seq
a cheating verier

V
seq
can
ask arbitrary queries to the oracle
seq
at any time during the interaction, therefore the behavior
of

V
seq
in
seq
does not necessarily correspond to a cheating verier interacting in the sequential
composition of (P
u
i
, V
i
)s. However any cheating verier

V
con
participating in
con
(and in particular
participating in
seq
and
par
) always corresponds to a cheating verier interacting in a concurrent
composition of (P
u
i
, V
i
)s.
2.5 Interactive Locking Schemes
An Interactive locking scheme is a commitment scheme implemented in the IPCP model. A similar
denition appeared in [KPT97] without the interaction (i.e. only with an oracle), but as we will
see in Theorem 4.1 non-interactive locking schemes are inherently inecient and therefore not as
applicable in cryptographic settings.
Denition 2.14 (Interactive locking scheme). Let = (S, , R) be an ecient IPCP (where we
call S the sender, the locking oracle and R the receiver) of the following form:
The common input is of the form 1
n
where n is the security parameter.
(S, ) receive a private input w W
n
which is called the committed message as well as the
private randomness r
S
. The receiver R gets the randomness r
R
.
The receiver R gets oracle access to the locking oracle and R
interacts with S in two phases:

(1) commitment phase and (2) decommitment phase. The decommitment phase consists of
only one message from the sender S to the receiver R which includes the committed message
w and the private randomness r
S
used by S. Following this message the receiver R (perhaps
after asking more queries from the oracle ) accepts or rejects.
Completeness: For any w W
n
if all parties are honest the receiver accepts with probability
one:
Pr['S(w), R
(w)
`(1
n
) = 1] = 1
where the probability is over the random seeds r
S
and r
R
.
Then is called an interactive locking scheme (ILS) for the message space W
n
and if W = 0, 1,
we call a bit-ILS. When n is clear from the context we might simply use W rather than W
n
to
denote the message space.
14
Denition 2.15 (Properties of ILSs). Let = (S, , R) be an ILS. We dene the following
properties for .
Binding: We dene to be (1 )-binding if for any sender

S and any oracle , with
probability at least 1 over the interaction of the commitment phase there is at most one
possible w such that

S can decommit to successfully. More formally, let R
t
be the interactive
algorithm which does the following.
1. Choose a randomness r
R
for the receiver R.
2. Run the commitment phase of R in .
3. R
t
reads all the queries of the oracle that are of length bounded by the running time
of R (this step is inherently inecient).
4. Knowing the content of the oracle , R
t
accepts if there exist (w
1
, r
1
) and (w
1
, r
2
) such
that w
1
= w
2
and R would accept both of (w
1
, r
1
) and (w
1
, r
2
) in the decommitment
phase.
is (1)-binding over the message space W
n
i (S, , R
t
) is (1)-sound over the common
input x = 1
n
.
Hiding: Let

R be any malicious receiver who asks at most u oracle queries from , and let
w
be the random variable which consists of the transcript of the interaction of R with (S, ) till
the end of the commitment phase when the committed message is w W. is (u, )-hiding
if for every such malicious receiver

R and every w
1
, w
2
W it holds that SD(
w
1
,
w
2
) .
Equivocability: is equivocable if there is an ecient sampling algorithm Sam that given
(, w) where is the transcript (including the oracle queries) of the commitment phase of
'S,
` (for an arbitrary receiver

R) and any w W, if
Pr[w is the committed message and is the transcript of 'S,
`] = 0
then Sam(, w) outputs r according to the distribution (r
S
[ , w). Namely r is sampled
according to the distribution of the private randomness r
S
of (S, ) conditioned on w being
the committed message and being the transcript of the commitment phase.
We simply call the ILS u-secure if it is (1 1/u)-binding and (u, 1/u)-hiding.
Public-coin ILS. Since ILSs are IPCPs by denition, we dene an ILS to be public-coin similar
to the way we dened public-coin IPCPs. Note that the soundness of an ILS might decrease when
considered as a public-coin system.
Round-complexity of ILS. Since the interactive part of the decommiemnt phase of any ILS
consists only of one message from the sender S to the receiver R, by the round-complexity of any
ILS we only refer to the number of rounds during its commitment phase.
15
Composition of ILSs. Dierent forms of composition of IPCPs can be applied to ILSs just
as well, but here we are interested in their parallel composition and a specic variant of it. In
any k-fold composition of the ILSs the sender receives k private messages w
1
, . . . , w
k
where each
w
i
W is used as the private message in the ith ILS. Therefore the message space of the composed
ILS potentially increases from W to W
k
. We use parallel composition to expand the message space.
We use a variant of parallel composition which uses the same message in all composed ILSs to to
amplify the soundness of an ILS.
Denition 2.16 (Parallel Compositions of ILSs). Let
1
= (S
1
,
1
, R
1
), . . . ,
k
= (S
k
,
k
, R
k
) be
k ILSs. By
par
= (S
par
,
par
, R
par
) we mean the the parallel composition of
1
, . . . ,
k
as IPCPs
according to Denition 2.12. Namely, during the decommitment phase the sender S
par
sends the
message ((w
1
, r
P
1
), . . . , (w
k
, r
P
k
)) to the receiver R
par
who emulates the interactive algorithm R
i
over the message (w
i
, r
P
i
) for i [k] (and accepts if all of them accept).
By a same-message (parallel) composition
smp
= (S
smp
,
smp
, R
smp
) of
1
, . . . ,
k
we mean
their parallel composition where the receiver enforces the condition that the same w
1
= w
2
= =
w
k
W is used as the commmitted message in all of
1
, . . . ,
k
. Namely, in the decommitment
phase of
smp
, the sender S
smp
sends (w, r
S
1
, . . . , r
S
k
) to the receiver R
smp
and the receiver runs
the verication algorithm similar to R
par
but over the message ((w, r
P
1
), . . . , (w, r
P
k
)).
Note that the message space of the same-message composition
smp
stays the same as W (as
opposed to the regular parallel composition
par
which expands the message space to W
k
).
Lemma 2.17 (Properties of parallel compositions of ILSs). Let
1
= (S
1
,
1
, R
1
), . . . ,
k
=
(S
k
,
k
, R
k
) be k ILSs with the same round complexity and the same message space W, and let
par
= (S
par
,
par
, R
par
) and
smp
= (S
smp
,
smp
, R
smp
) be their parallel and same-message composi-
tions. Then we have:
1. Binding: If
i
is (1
i
)-binding for all i [k], then
par
is (1
i
)-binding and
smp
is
(1
i
)-binding.
2. Hiding: If
i
is (u,
i
)-hiding for all i [k], then
par
and
smp
are both (u,
i
)-hiding.
3. Equivocability: If
i
is equivocable for all i [k], then both of
par
and
smp
are also
equivocable.
Proof. .
Binding. S
par
of
par
gets bound to a message (w
1
, . . . , w
k
) if all of S
i
s for i [k] get bound to
a message w
i
. By the union bound and the (1
i
)-binding of
i
with probability at most
i
by
the end of the commitment phase there exist an i [k] where S
i
is not bound to a xed w
i
. Thus
S
par
has binding at least (1
i
).
On the other hand, since S
smp
is forced to use the same message w in all of R
i
s, S
smp
gets
bound to a message w if for at least one i [k] R
i
gets bound to a message w. Recall that
the latter happens whenever the inecient modication of the receiver R
t
i
dened in binding part
of Denition 2.15 rejects and by the binding of
i
this rejection happens with probability at least
1
i
. Therefore by the soundness amplication of parallel composition of IPCPs (Part 1 of Lemma
2.13), with probability 1
i
at least one of R
t
i
s reject in the execution of S
smp
in which case
the sender S
smp
gets committed to at most one possible message w.
16
Hiding. We use a standard hybrid argument (which works the same for both
par
and
smp
). Fix
any two messages w
1
= (w
1
1
, . . . , w
1
k
), w
2
= (w
2
1
, . . . , w
2
k
) and consider k +1 experiments as follows.
In the ith experiment for 0 i k, we use a parallel composition of
1
, . . . ,
k
while for 0 j i
the committed message in
j
is w
1
j
and for i + 1 j k, the committed message in
j
is w
2
j
.
Fix any malicious receiver

R
par
who asks at most u queries from its locking oracle . Let
i
be the
random variable which consists of the transcript of the commitment phase in the ith experiment.
If SD(
0
,
k
) >
i
, then there should exist i [k] such that SD(
i1
,
i
) >
i
. Therefore

R
par
can
distinguish between the experiments i 1 and i with advantage
i
. Now we claim that there exists
a malicious receiver

R that can break the
i
-hiding of
i
by
i
-distinguishing the two experiments
where in the rst one w
1
i
and in the second one w
2
i
is used as the committed message in
i
.

R will
run

R
par
while simulating the k 1 other senders and oracles of

R
par
as follows. For
0
, . . . ,
i1
R simulates their senders and locking oracles while w

1
j
is used as the committed string in
j
and
in k i other games
i+1
, . . . ,
k
it simulates their senders and locking oracles while w
2
j
is used
as the committed string in
j
. Then it is easy to see that

R will
i
-distinguish between the two
experiments because

R
con

i
-distinguishes
i1
from
i
. But this contradicts the
i
hiding of
i
.
Equivocability. Let
par
= (
1
, . . . ,
k
) be the transcript of the interaction of R
par
with (S
par
,
par
)
where
i
consists of the part of the transcript for
i
and let w = (w
1
, . . . , w
k
) be the message that
has a non-zero chance of being the private message conditioned on
par
being the transcript. To
sample a randomness (r
P
1
, r
P
2
, . . . , r
P
k
) consistent with
par
and w one has to sample r
P
i
consistent
with (
i
, w
i
) for all i [k] which is possible by the equivocability of
i
s.
Therefore we can use
par
to expand the message space at the cost of slight loss in hiding and
binding, while
smp
can be used to amplify the soundness at the cost of slight loss in hiding.
3 Statistically Zero-Knowledge IPCP for NP
In this section we show how to construct a 2
(n)
-secure constant-round SZK-IPCP for any language
L NP where both the prover and the PCP oracle in our construction can be implemented
eciently given a witness w for x L. We also show how to achieve a 2
(n)
-adaptively-secure
SZK-IPCP for any L NP at the cost of poly(n) round-complexity. More formally we prove the
following two theorems.
Theorem 3.1 (Constant-round SZK-IPCP for NP). For any language L NP there exists a 2-
round ecient public-coin SZK-IPCP
2R
for L with security 2
(n)
. Moreover, the simulator of
2R
is straight-line and therefore by Lemma 2.13 for a small enough constant c, a 2
cn
-fold concurrent
composition of
2R
remains (2
(n)
, 2
(n)
)-SZK.
Theorem 3.2 (Adaptively-secure SZK-IPCP for NP). There exists a (poly(n)-round) ecient
SZK-IPCP
adap
for L with adaptive-security 2
(n)
.
The oracle is inherent for SZK. If we only want to achieve computational zero-knowledge,
we can remove the PCP oracle from the IPCP model and only the interaction would suce to
achieve this goal (under the computational assumption that one-way functions exist [GMW91]).
On the other hand, if the domain of the PCP oracle were only of size poly(n) (rather than
17
super-polynomial), then a malicious polynomial-time verier could read all of the information in
and so the language L would be in the class SZK AM co-AM which does not contain the
class NP unless the polynomial hierarchy collapses. This means that the existence of a oracle
with a super-polynomial domain is inherent to achieve unconditional zero-knowledge for NP.
Intuition behind Theorem 3.1. Our main step to prove Theorems 3.1 is to construct an
interactive (ILS) (Denition 2.14), a primitive corresponding to commitment schemes in the IPCP
model. In Theorem 4.1 we present an ILS with optimal round complexity (i.e. one round). Then we
feed our ILS (as a commitment scheme) into the well-known construction of [GMW91] to achieve
zero-knowledge for NP with non-negligible soundness. A classical way to amplify the soundness of
proof systems (while keeping the round-complexity) in the standard model of interaction is to use
parallel composition. We use the fact (Part 1) that parallel composition of IPCPs decreases the
soundness error exponentially. The latter result (i.e. Part 1 of Lemma 2.17) is interesting on its
own since the IPCP model lies in between the single-prover and the multi-prover models and it is
known [FRS88] that the parallel repetition does not amplify the soundness in a simple exponential
form (as one would wish). Secondly, we show that although the parallel composition might hurt
the zero-knowledge in general, by crucially using equivocability feature of our ILS (see Denition
2.14) one can prove that SZK is preserved under parallel composition.
Lemma 3.3. (Followed by Part 1 of Theorem 4.1) There exist an ecient ILS = (S, , R) for
the message space 1, 2, 3 with security 2
(n)
which is public-coin and equivocable. Moreover the
commitment phase of has only one round of interaction.
To use the construction of [GMW91] we also need the following technical lemma.
Lemma 3.4 (Hiding of selective opening of ILSs). Let
1
= (S
1
,
1
, R
1
), . . . ,
k
= (S
k
,
k
, R
k
)
be ILSs with the same round complexity and the same message space W and suppose that
i
is
(u,
i
)-hiding for all i [k]. Also let D be an arbitrary (perhaps correlated) distribution over W
k
.
Now consider an arbitrary receiver

R who asks at most u oracle queries and interacts with the
parallel composition of (S
1
,
1
), . . . , (S
k
,
k
) in the following experiments Real or Simul. Then

R
can not distinguish between Real and Simul with an advantage more than 3
i
. In other words
the statistical distance between the view of

R in the two experiments is at most 3
i
.
Experiment Real:
1. (w
1
, . . . , w
k
) is sampled according to the distribution D, (r
1
, . . . , r
k
) is sampled uniformly at
random and (S
i
,
i
) receives (w
i
, r
i
) as its private message and randomness.
2.

R interacts with (S
1
,
1
), . . . , (S
k
,
k
) in parallel till the end of the commitment phases.
3.

R selects an arbitrary set B [k] and receives (w
i
, r
i
) for all i B.
4.

R can continue asking up to u oracle queries (including the previous queries asked) from the
combined oracle = (
1
[ . . . [
k
).
18
Experiment Simul:
1. (r
t
1
, . . . , r
t
k
) is sampled uniformly at random and (S
i
,
t
i
) receives (0, r
t
i
) as its private message
and randomness.
2.

R interacts with (S
1
,
t
1
), . . . , (S
k
,
t
k
3.

R selects a subset B [k]. At this point (w
1
, . . . , w
k
) is sampled according to D, and r
i
is
sampled at random conditioned on being consistent with w
i
and the transcript of 'S
i
,
i
`.
Then

R receives (w
i
, r
i
) for all i B.
4. Now for all i B let
i
be the oracle generated with (w
i
, r
i
) as its private message and
randomness, and for all i [k] ` B let
i
be the same as
t
i
. Let the combined oracle be
dened as = (
1
[ . . . [
k
).

R can continue asking up to u oracle queries (including the
previous queries) from the combined oracle .
Proof. We will use several hybrid arguments. We rst dene one more experiment:
Experiment Mixed:
1. (r
t
1
, . . . , r
t
k
i
,
t
i
) receives (0, r
t
i
and randomness.
2.

R interacts with (S
1
,
t
1
), . . . , (S
k
,
t
k
3.

1
, . . . , w
k
i
is
i
i
,
i
`.
Then

R receives (w
i
, r
i
) for all i B.
4. Now for all i k let
i
i
, r
i
randomness, and let the combined oracle be dened as = (
1
[ . . . [
k
).

R can continue
asking up to u oracle queries (including the previous queries) from the combined oracle
t
.
Claim 3.5. For any receiver

R who asks at most u oracle queries, the statistical distance between
the view of

R in Real and Mixed is at most
i
.
Proof. Let
mixed
and
real
be the transcript of the commitment phases in the experiments Mixed
and Real. As a mental experiment suppose:
1. In Mixed, the sampling (w
1
, . . . , w
m
) D
k
is done at the beginning (similar to Real).
2. In both Real and Mixed, the random seeds (r
1
, . . . , r
k
) are chosen after the commitment
phases are done, conditioned on the transcript of the commitment phases (
mixed
or
real
) and
(w
1
, . . . , w
m
).
Now the only dierence between Real and Mixed is in the statistical distance between (w
1
, . . . , w
k
,
mixed
)
and (w
1
, . . . , w
k
,
real
) in the two experiments. The crucial point is that the distribution of r
i
s
conditioned on (w
1
, . . . , w
k
, ) are independent and thus the way they are sampled in Real and
Mixed (conditioned on (w
1
, . . . , w
k
, )) is the same. Now suppose the statistical distance between
(w
1
, . . . , w
k
,
mixed
) and (w
1
, . . . , w
k
,
real
) is more than
i
. Then by an average argument we can
19
x the value of (w
1
, . . . , w
k
) and still keep the statistical distance to be more than
i
. Namely
for xed values of (w
1
, . . . , w
k
), the statistical distance between
mixed
and
real
is more than
i
.
Notice that the dierence between Mixed and Real (after xing (w
1
, . . . , w
k
)) is that
mixed
is gen-
erated with (0, . . . , 0) as the private messages while
real
is generated with (w
1
, . . . , w
k
). But this
contradicts the hiding property of parallel composition of ILSs (i.e. Part 2 of Lemma 2.17).
The following claim together with Claim 3.5 (and the triangle inequality over the statistical
distances) nishes the proof.
Claim 3.6. For any receiver

R who asks at most u oracle queries, the statistical distance between
the view of

R in Mixed and Simul is at most
i
2
i
.
Before proving Claim 3.6 consider the following two experiments.
Experiment Com0Dec0:
1.

R interacts with (S
i
,
i
) in the commitment phase conditioned on 0 being the private message
of (S
i
,
i
).
2.

R can continue asking up to u oracle queries.
Experiment Com0Decw:
1.

R interacts with (S
i
,
i
) in the commitment phase conditioned on 0 being the private message
of (S
i
,
i
).
2. A randomness of the sender r
S
is sampled conditioned on the view of

R and w being the
private message.
3.

R can continute asking up to u oracle queries, but the oracle answers will be based on (w, r
S
)
being the private message and the randomness of the oracle.
Claim 3.7. For any message w, any receiver

R who asks at most u oracle queries can distinguish
between the Com0Dec0 and Com0Decw by an advantage of at most 2
i
.
Proof. Let the experiment ComwDecw be an experiment similar to Com0Decw where the transcript
of the commitment phase was generated conditioned on w being the private message. By the (u,
i
)-
hiding of the ILS
i
the statistical distance between the view of

R in Com0Dec0 and ComwDecw
is at most
i
. We can apply Lemma 2.2 (with X, Y , and Z being in order the view of

R in
Com0Dec0, ComwDecw, and Com0Decw, and the rst part of each random variable being the view
of the commitment phase) to conclude that the statistical distance of view of

R in Com0Dec0 and
Com0Decw is at most 2
i
.
Proof. (of Claim 3.6) Suppose

R can distinguish between Simul and Mixed with advantage more
than
i
. By an average argument we can get x the sample (w
1
, . . . , w
k
) D
x
and use it in
Simul and Mixed and keep the distinguishing advantage of

R more than
i
. Now we use a hybrid
argument. For 0 j k, dene the jth hybrid experiment as follows.
20
Experiment Hybrid
j
1. (r
t
1
, . . . , r
t
k
i
,
t
i
) receives (0, r
t
i
and randomness.
2.

R interacts with (S
1
,
t
1
), . . . , (S
k
,
t
k
3.

1
, . . . , w
k
i
is
i
i
,
i
`.
Then

R receives (w
i
, r
i
) for all i B.
4. Now for all i B [j] let
i
i
, r
i
randomness, and for all i [k] ` (B [j]) let
i
be the same as
t
i
. Let the combined oracle
be dened as = (
1
[ . . . [
k
).

R can continue asking up to u oracle queries (including the
previous queries) from the combined oracle .
Note that Hybrid
0
= Simul and Hybrid
k
= Mixed (with the mentioned dierence that (w
1
, . . . , w
k
)
is xed now). Therefore if

R can distinguish between Simul and Real with advantage more than
i
2
i
, then there exists i [k] such that

R can distinguish between Hybrid
i1
and Hybrid
i
with
advantage more than 2
i
. It is easy to see (similar to the proof of Part 2 of Lemma 2.17) that

R
can be converted into another malicious receiver

R
i
who asks at most u oracle queries and is able
to distinguish between Com0Dec0 and Com0Decw
i
with advantage more than 2
i
. But the latter is
not possible because of Claim 3.7.
Therefore Lemma 3.4 follows from Claims 3.6 and 3.5 and the triangle inequality over the
statistical distance.
4
Now we prove Theorem 3.1 using Lemma 3.3 and Lemma 3.4.
Proof. (of Theorem 3.1) Let L NP, and let x be an input to an IPCP for L. By using the
Cook-Levin reduction one can eciently compute (from x) a graph G where x L i G 3COL,
and moreover any witness for x L can be eciently converted into a witness for G 3COL and
vice versa. So we would assume that the parties always will run the Goldreich-Levin reduction rst
and then will work with a graph G as their input where G has n = [N[ vertices and m = [M[ edges.
By a padding argument we can always assume that n [x[ and so any u(n)-secure IPCP for 3COL
will yield a u(n)-secure IPCP for L as well. Therefore without loss of generality will work with
L = 3COL directly.
We use the zero-knowledge construction of [GMW91] which in turn uses a commitment scheme.
For the needed commitment scheme we use the ILS = (S, , R) of Lemma 3.3.
Construction 3.8 (Weakly-sound SZK-IPCP for 3COL). Let w: [n] 1, 2, 3 be a proper 3-
coloring for G where w(i) = w(j) if i = j. Let = (S, , R) be the ILS of Lemma 3.3 and let w be
the secret input given to (S, ). The IPCP = (P, , V ) is as follows.
4
Note that the reductions in various hybrid arguments in the proof of Lemma 3.4 are not ecient, but they keep
the number of queries asked by

R bounded (which was sucient). The reductions can be done eciently if is are
equivocable.
21
1. The prover P chooses s S
3
at random where S
3
is the set of all permutations over the set
1, 2, 3. P uses s to randomize the coloring w to get a new 3-coloring of G as c(i) = s(w(i))
for all i N. Note that c is also a proper 3-coloring of G. Moreover for any edge (i, j) M
it holds that (c(i), c(j)) is uniformly distributed over 1, 2, 3
2
conditioned on c(i) = c(j).
2. The prover P and the verier V will engage in an n-fold parallel composition of the com-
mitment phase of the ILS where c(i) and r
i
are, in order, the committed message and the
private randomness used by (S
i
,
i
) (in the ith instance of ). The interaction of this step
stops right before the decommitment phases start.
3. The verier V chooses an edge (i, j) M at random and sends (i, j) to the prover P.
4. The prover decommits the ith and jth instances of by sending (c(i), r
i
) and (c(j), r
j
) to
the verier V .
5. The verier V veries (c(i), r
i
), (c(j), r
j
) as decommitments of the ith and jth and rejects if
either of them fail or if c(i) = c(j).
Claim 3.9. The IPCP = (P, , V ) of the Construction 3.8 has the following properties.
1. Completeness: If G is a 3-colorable graph, then Pr['P, V
`(G) = 1] = 1.
2. Soundness: is
1
2m
-sound. Namely, if G is not 3-colorable, then Pr['P, V
`(G) = 0]
1
2m
.
3. SZK: is (2
(n)
, 2
(n)
)-SZK with a straight-line simulator.
4. Eciency: can be implemented eciently (when (P, ) are given a proper coloring w of
G as their private input).
5. Round-complexity: If the commitment phase of has t rounds, then has round com-
plexity t + 1.
6. Public-coin: is public-coin if is public-coin.
Proof. .
Completeness. The completeness follows from the completeness of and the fact that w is a
proper coloring.
Soundness. Suppose G is not 3-colorable. Since runs n instances of in parallel, by Part 1
of Lemma 2.17, with probability at least 1 n, by the end of the commitment phases, for each
i [n] there is at most one possible c(i) that the prover can decommit to (together with some
randomness r
i
) successfully. In the following we assume that such event has happened. Now for
each i [n] let c(i) be the possible color that the prover can decommit to and let c(i) = if such
color does not exist. Since G is not 3-colorable, with probability at least 1/m the verier chooses
an edge (i, j) such that either c(i) = , or c(j) = , or c(i) = c(j). But in all these cases the verier
will reject. Therefore the verier will reject at some point during he interaction with probability at
least (1 n)
1
m
. Recall that had hiding 1 1 2
(n)
, which means that has soundness
(1 n)
1
m

1n2
(n)
m

1
2m
.
22
SZK. Suppose

V is a malicious verier which asks up to u queries from where (of Lemma
3.3) is (u, )-hiding. The simulator Sim starts by plugging in a random seed for

V and interacting
with

V similar to the way that (P, ) would do. But the problem is that Sim is not given the
coloring w and cannot get the randomized proper coloring c. Instead Sim does the following.
1. Sim uses the trivial (and most probably improper) coloring c(i) = 0 for all i N and interacts
with

V .
2. After receiving the edge (i, j) M from

V , the simulator chooses (c(i), c(j)) 1, 2, 3
2
conditioned on c(i) = c(j) and chooses r
t
i
(resp. r
t
j
) at random conditioned on being consistent
with c(i) (resp. c(j)) and the transcript of 'S
i
,
i
` (resp. 'S
j
,
j
`). The latter is possible
because of the equivocability of .
3. Sim answers the remaining oracle queries of

V , but it pretends that (c(i), r
t
i
) and (c(j), r
t
j
) are
the private message and randomness used in order by
i
and
j
. (For queries to other oracles
t
where t i, j, Sim continues using (0, r
t
) as the message and the randomness used for
the oracle
t
.)
When one is interacting with the honest prover P and the honest oracle , for any xed edge
(i, j) M the distribution of the colors of its vertices (c(i), c(j)) is uniformly distributed over
1, 2, 3
2
conditioned on c(i) = c(j). Therefore by Lemma 3.4, the simulator Sim generates a
view for

V which is 3
i[n]
= (3n)-close to the view of

V when interacting with the honest
prover and the oracle (P, ). Since is (u, ) = (2
(n)
, 2
(n)
)-hiding, it follows that has SZK
(2
(n)
, 3n2
(n)
) = (2
(n)
, 2
(n)
) with a straight-line simulator.
The eciency, round-complexity, and public-coin properties are immediate.
Finally let
2R
be an mn-fold parallel composition of . By Part 1 of Lemma 2.13,
2R
has soundness 1 (1 1/2m)
mn
= 1 2
(n)
. Also by Part 3 of Lemma 2.13
2R
has SZK
(2
(n)
, mn2
(n)
) = (2
(n)
, 2
(n)
) with a straight-line simulator. Clearly
2R
remains complete,
ecient, and 2-round and this nishes the proof of Theorem 3.1.
Proof. (of Theorem 3.2) To prove Theorem 3.2 it is enough to get an SZK-IPCP with non-negligible
adaptive soundness. Then by Part 2 of Lemma 2.13 we can use the sequential composition to amplify
the adaptive-soundness.
Note that if the verier asks only one query from the oracle, then there is no dierence between
soundness and adaptive-soundness.
A construction of [BGKW88] takes any multi-prover interactive proof system and compiles it
into a 2-prover system with non-negligible soundness where the verier asks only one query from
the oracle. The construction of [BGKW88] is as follows. The verier sends its randomness r
V
to
the rst prover and gets a full simulation of its interaction with the original multi-prover system.
Then, in order to make sure that the rst prover did not lie, one of the query/answer pairs claimed
by the rst prover is chosen at random and is veried by the second prover. If the answers were
dierent the verier rejects. It is easy to see that if the rst prover does not simulate the game
honestly as a simulation of the multi-prover case, then it will be caught with probability roughly
1/v where v is the total number of queries of the interaction being simulated. (We refer the reader
to [BGKW88] for more details).
23
As a rst try, we use the construction of [BGKW88] to compile our SZK-IPCP of Theorem
3.1 into one with non-negligible adaptive-soundness and only one oracle query. Namely, we starts
ask the verier to send its randomness to the prover who simulates the whole execution of the
original system. Then we choose one of the query/answer pairs claimed by the prover and verify its
correctness with the oracle (who is supposed to know the answer to such queries). Unfortunately,
the problem with this construction is that the verier is also able to reset the original prover
through the new oracle. That is because the new oracle is supposed to know the answer to all the
queries to the original prover and there is no restriction on which queries the verier will ask from
the oracle. Therefore we loose the SZK property.
To keep the SZK property, as a second try, we change the construction above as follows. The
verier will choose only one of the oracle queries, simulated by the new prover, and veries that
query with the new oracle. Now if the prover lies about any of the oracle-type simulated queries,
it still will be caught by the verier with non-negligible probability. Unfortunately, this time we
might loose the soundness. The reason is that if the soundness of the original system relies on
the oracle queries being hidden from the prover, since in the new simulation we are revealing the
oracle queries of the original system to the prover, the prover might honestly simulate the oracle
queries but use this knowledge to lie about the simulated queries of the original prover. But the
good news is that if the original construction of SZK-IPCP was public-coin, then the soundness is
still guaranteed even if the prover gets to see the oracle queries, and so in this case we do not loose
the soundness! More formally we use the following construction.
Construction 3.10 (From soundness to weak adaptive-soundness). Let = (P, , V ) be an IPCP.
We construct new IPCP
t
= (P
t
,
t
, V
t
) as follows.
PCP oracle: The (honest) oracle
t
will be the same as .
The interaction of P
t
and V
t
:
1. V
t
chooses a randomness r
V
for V and interacts with P
t
similar to the interaction of V
and P. The main dierence is that any time that V needs to ask a query from , V
t
will ask this query from the prover P
t
instead.
2. At this time V
t
has a full description of a possible interaction between V
and P and
rejects if V would reject in this interaction.
3. Suppose q
1
, . . . , q
v
are the oracle queries that were asked from the prover P
t
and let a
i
be the answer claimed by P
t
for the oracle query q
i
. If V
t
didnt reject in the previous
step, it will chooses a random i [v] and queries q
i
from the oracle
t
. Let a
t
i
=
t
(q
i
)
be the answer. V
t
rejects if a
i
= a
t
i
.
Claim 3.11 (Properties of Construction 3.10). Let = (P, , V ) be an (ecient) public-coin IPCP
for the language L which is (1 )-sound, (u, )-SZK and public-coin where the honest verier V
asks at most v oracle queries. When is used in Construction 3.10 the result is an (ecient) IPCP
t
= (P
t
,
t
, V
t
) for the language L which is (u v, )-SZK, and is (1 )/v-adaptively-sound.
Proof. .
24
SZK. Any simulator Sim for with parameters (u, ) can be used to get a simulator Sim
t
for
t
with parameters (u v, ). The reason is that the view of any malicious verier
V
t
in
t
who asks
at most u v can be simulated by another malicious verier

V in who uses

V
t
as a black box
(and in a straight-line manner). The verier

V runs
V
t
and whenever
V
t
asks an oracle query from
the prover P
t
,

V also asks this query from the oracle . Thus any (straight-line) simulator for

V
can be used to simulate the view of
V
t
with the same statistical distance .
Adaptive soundness. Since the verier asks only one query from
t
, it does not matter whether
t
is stateful or not. More formally, for any potentially stateful
t
we dene a (stateless) oracle
tt
which given the query x answers according to
t
when
t
is asked only the query x. Note that from
the point of view of V
t
there is no dierence between
t
and
tt
, so we might as well assume that
V
t
asks its query from the stateless oracle
tt
.
Let Rej be the event that V
t
rejects. By the soundness of as a public-coin IPCP if P
t
answers
all of q
1
, . . . , q
v
honestly according to
tt
, then it would hold that Pr[Rej] 1. It is crucial that
is public-coin, because in the interaction of V
t
and P
t
, P
t
gets to know the oracle queries of V and
the soundness should hold even in this case. But a malicious prover
P
t
can change Pr[Rej] by lying
about the answer to some of q
i
s. Let Lie be the event that there exists i [v] such that a
i
=
tt
(q
i
),
and let NoLie be the complement event that a
i
=
tt
(q
i
) for all i [v]. By the (1 )-soundness of
the public-coin IPCP it still holds that:
Pr[Rej NoLie] (1 ) Pr[Lie]. (3.1)
On the other hand if Lie happens then P
t
will be caught with probability at least 1/v, and so
Pr[Rej [ Lie] 1/v. (3.2)
Therefore we conclude that
Pr[Rej] = Pr[Rej NoLie] + Pr[Rej Lie]
max(0, 1 Pr[Lie]) + Pr[Lie] Pr[Rej [ Lie] by Inequality 3.1
max(0, 1 Pr[Lie]) + Pr[Lie]
1
v
by Inequality 3.2
(1 )/v. Achieved by Pr[Lie] = 1
We use Construction 3.10 over the IPCP = (P, , V ) of Theorem 3.1 to get a new IPCP
t
= (P
t
,
t
, V
t
). Let v = poly(n) be the number of oracle queries of V in . Since is public-
coin and is 2
(n)
-secure, therefore
t
will have adaptive-soundness 1/(2mv) = 1/poly(n) and SZK
(2
(n)
v, 2
(n)
) = (2
(n)
, 2
(n)
).
Finally let
adap
be a mvn-fold sequential composition of
t
. By Part 2 of Lemma 2.13,
adap
has adaptive-soundness 1 (1 1/(2mv))
mvn
= 1 2
(n)
. Also by Part 3 of Lemma 2.13
adap
has
SZK (2
(n)
, mvn2
(n)
) = (2
(n)
, 2
(n)
) and this nishes the proof of Theorem 3.2.
25
4 Interactive Locking Schemes
In this section we study ILSs and will construct an ILS with optimal round complexity.
Theorem 4.1. (A round-optimal ILS) Let (n) = poly(n), then
1. There exist an ecient ILS = (S, , R) for the message space 0, 1
with security 2
(n)
which has a commitment phase of only one round and is public-coin.
2. Any ILS with a noninteractive commitment phase needs an inecient oracle and thus
has optimal round-complexity (as an ecient ILS).
First, in Section 4.1 we present a general construction for ILSs from any interactive hashing
scheme (IHS) (see Denition 4.2) where the round-complexity of the used IHS equals the round-
complexity of the commitment phase of the constructed ILS. Using known constructions for IHS we
get an ILS with a 2-round commitment phase. We show that this is the best one can get through
this approach by showing that any IHS with the parameters needed for our construction requires
at least 2 rounds (see Proposition 4.5).
Then in Section 4.2 we present a direct construction for ILS with only one round of interaction in
the commitment phase. Both constructions of Sections 4.1 and 4.2 are 2
(n)
-secure and public-coin.
Thus the 1-round construction of Section 4.2 proves Part 1 of Theorem 4.1.
Finally in Section 4.3 we will show that at least one round of interaction is needed in the
commitment phase of any ecient ILS (proving Part 2 of Theorem 4.1).
4.1 ILS from IHS
Interactive hashing schemes (IHS Denition 4.2) and their variants have been of great use in
designing cryptographic protocols. Although the core central properties needed for IHSs in all these
applications is of an information theoretic avor, in the applications of IHSs in the computational
regime [OVY93a, OVY93b, HHK
+
05, HR07], compared to the applications in the information
theoretic regime [CCM98, CCM98, DHRS04]) some extra properties are required for the IHS used.
Here we use a minimal denition whose properties hold in all existing forms of IHS in the literature
and show that the existence of any IHS according to this denition implies the existence of ILS.
Denition 4.2 (Interactive hashing). An interactive hashing scheme (IHS) = (S, R) is a two
party protocol between a sender S and a receiver R where both are given 1
n
as the security
parameter and S is also given w M as the private message. By the end of the protocol the
transcript of the protocol determines two outputs w
0
= w
1
0, 1
n
for which the following
properties hold.
Completeness: If S and R are honest, then w w
0
, w
1
.
Binding: The protocol is -binding, if for every xed set T W of size [T[ [W[ and
any malicious sender

S the probability that both of w
0
and w
1
lie in T is at most 1/2; namely
Pr
/
S,R)=(w
0
,w
1
)
[w
0
, w
1
T] 1/2.
Hiding: If the sender S is honest, then for any transcript of the protocol which determines
the outputs (w
0
, w
1
) it holds that Pr
w|w
0
,w
1
[w = w
0
[ ] = Pr
w|w
0
,w
1
[w = w
1
[ ] = 1/2.
Therefore if, w W is chosen uniformly at random, w
0
and w
1
will have the same chance of
being equal to w.
26
We call ecient if both S and R are ecient and public-coin if the messages of the receiver R
only consist of her public coin tosses.
It is easy to see that if R simply sends a 2-to-1 pairwise-independent hash function h: 0, 1
n
0, 1
n1
to S and S sends back h(w), it gives a -binding IHS for 2
n/2
. But, as we will see
in Lemma 4.3 for our construction of ILS from IHS (Lemma 4.3) we need IHSs with non-negligible
binding = (1/poly(n)).
Lemma 4.3 (ILS from IHS). Let = (S
, R
) be a k-round IHS with binding over the message

space 0, 1
n
with a deterministic sender S
. Then there exists a bit-ILS = (S, , R) with a k-

round commitment phase which is 1/2-binding and (2
n/2
, 2
n/2
)-hiding. Moreover if is ecient,
then (S, ) are ecient and the receiver R runs in time poly(n, 1/) (and so if in addition =
1/poly(n), then is ecient as well).
[OVY93a] presented an IHS with binding = (1) at the cost of poly(n) rounds of interaction.
[DHRS04] showed how to achieve a constant-round IHS with 1/poly(n) binding. In all the known
constructions of IHS the sender is deterministic, and in our construction of ILS from IHS (Lemma
4.3) we use this property. The determinism of the sender is not crucial to us and if the sender is
randomized, then we only need the following sampling property to hold: Given any transcript of
the protocol determining (w
0
, w
1
) and any i 0, 1 one can eciently sample r
i
from the senders
space of randomness according to r
i
(r
S
[ , w = w
i
).
By using any known k-round ecient IHS with 1/poly(n)-hiding and Lemma 4.3, we get an
ecient ILS which is 1/2-binding and (2
(n)
, 2
(n)
)-hiding. Now Part 1 of Lemma 2.17 yields
that an n-fold parallel composition of is 2
(n)
-secure and nally an -fold same-message parallel
composition expands the message space to 0, 1
while we keep the 2

(n)
-security. Therefore by
using the 2-round IHS scheme of [DHRS04] and Lemma 4.3 we derive Part 1 of Theorem 4.1 (but
still without the optimal round-complexity).
Intuition. Our approach in the proof of Lemma 4.3 is to use the well-known reduction from
statistically hiding bit commitments to IHS in the computational setting [NOVY98] and its black-
box proof of security. Roughly speaking the idea of [NOVY98] is to run the IHS over the message
y 0, 1
n
where y = f(x) and f is a permutation. Now if f is a one-way permutation the fraction
of points y which the malicious sender

S is able to invert is a negligible = neg(n) fraction of
0, 1
n
. Therefore if the ILS is -binding for non-negligible (and in particular < ) with a
noticeable probability, by the end of the IHS with outputs y
0
, y
1
, there is at most one y where
S can invert (i.e., present x such that y = f(x)) and claim that y was his private message. So if at
the last step of the commitment phase

S sends a bit d = b c where b is his bit-message and y is
such that y = y
c
, then she gets committed to only one possible value for b for which she can nd a
consistent c.
5
But here we are interested in unconditionally secure protocols and we can not rely on the
existence of one-way permutations or any other computational assumption. The idea is to use the
locking oracle to hold a random (non-zero) point function (x) = y where the sender knows the
image y and the preimage x and thus can invert y to x. By using the IHS over the image y,
the sender gets committed to a unique y (with probability at least 1/2) assuming that there are
5
The argument needs to be formalized through an ecient reduction and we refer the reader to the rather
complicated full proof of [NOVY98].
27
fewer than 2
n
many invertible points in the set (0, 1
n
). But the receiver can guarantee
that the latter is the case by picking 100/ random samples x
t
0, 1
n
(conditioned on x = x
t
)
and verifying that (x
t
) = 0.
Proof. (of Lemma 4.3) We rst describe the bit-ILS = (S, , R).
Construction 4.4 (Bit-ILS from IHS). Let b 0, 1 be the private message hold by (S, ). We
will use the IHS with the properties described in Lemma 4.3 over the message space 0, 1
n
with
binding .
The commitment phase of :
1. The common randomness r
R
of (R, ) will be (x, y) 0, 1
n
0, 1
n
where y = 0. The
locking oracle will contain a point function: (x) = y and (x
t
) = 0 for x
t
= x.
2. S and R engage in the IHS where the sender S uses y as the private message of S
.
3. Let b be the private bit given to S, and let (y
0
< y
1
) be the output of the protocol and let
c be such that y = y
c
. As the last message of the commitment phase the sender S sends the
bit d = b c to the receiver R. Note that this does not require an extra round of interaction
since d can be concatenated to the last message of the sender.
The decommitment phase of :
1. S sends b and (x, y) to R.
2. R veries that (x) = y and y = y
db
(and rejects otherwise).
3. For i [n/] the receiver R samples x
t
i
0, 1
n
conditioned on x
t
i
= x at random and
veries that (x
t
i
) = 0 holds for all i [n/] (and rejects otherwise).
Now we prove the properties of the ILS of Construction 4.4.
Completeness is immediate.
Binding. Let T = (x) [ x 0, 1
n
` 0 and T
1
= x [ (x) = 0 be the set of non-zero
points in the oracle . There are two cases: either T
1
has size [T
1
[ 2
n
or [T
1
[ < 2
n
.
If the rst case [T
1
[ 2
n
holds, then with probability at least 1 (1 )
n/
> 1 2
n
one of
the receivers samples x
t
i
will be sampled from T
1
and then the receiver R rejects. (The way we
described the protocol the random samples x
t
i
s are chosen in the decommitment phase, but they
are part of the randomness r
R
of the receiver and are chosen in the beginning of the commitment
phase.)
On the other hand, if the second case [T
1
[ < 2
n
holds, it implies that the size of [T[
[T
1
[ < 2
n
is small as well. Now by the binding property of the IHS , with probability at least
1/2 one of y
0
, y
1
lies out of T in which case there is only one way for the sender S to decommit
to a bit b consistent with y
0
, y
1
and d. Therefore the 1/2-binding holds in either of the cases.
28
Hiding. If a malicious receiver

R asks up to 2
n/2
queries from the oracle , they will be all
answered zero with probability at least 1 2
n/2
by the uniformity of x 0, 1
n
. But in that
case the oracle queries of

R do not reveal any information about y and the hiding of the ILS
follows from the hiding of the IHS .
Equivocability. Let be the transcript of any malicious receiver

R by the end of the commitment
phase. Given (b, ) the sampler algorithm Sam does the following. Let (x
t
1
) = y
t
1
, . . . , (x
t
t
) = y
t
t
be the oracle queries asked by

R from appeared in the transcript and let (y
0
, y
1
) be the output
of the executed IHS. If there exist i [t] such that y
t
t
= 0, then it means that

R has found the
committed bit b = d c where c is such that y
t
i
= y
c
. In this case the sampler Sam simply outputs
(x
t
i
, y
t
i
). On the other hand if y
t
i
= 0 for all i [t], then the sampler chooses y = y
c
where c = b d
and chooses x 0, 1
n
` x
t
1
, . . . , x
t
t
and outputs (x, y) (pretending that (x) = y).
By using the IHS of [DHRS04] (which has the fewest number of rounds among known IHSs) we
get a 2-round ILS. The following proposition shows that the Construction 4.4 of ILSs from IHSs
is not able to achieve ecient ILSs with one round (in the commitment phase).
Proposition 4.5 (Nontrivial IHSs need two rounds). Any IHS with at most 3 messages ex-
changed between the sender and the receiver has binding at most = 100/
[W[. Therefore for

[W[ = 2
n
, any IHS with non-negligible binding needs at least two rounds of interaction.
Proof. For starters we assume that has only one round (i.e. two messages) where the receiver
sends its message rst. Later we will extend the result to 3-message protocols. Suppose the rst
message sent from the receiver is q and is followed by an answer a from the sender. In the following
discussion we x a query q. Now any answer a corresponds to two elements w
a
1
, w
a
2
W which
determines an edge in a graph G
q
with the vertex set W. Each edge a has a probability of being
used as the senders message. By duplicating the edges we can change G
q
into a multi-graph such
that the distribution of the message of the sender corresponds to selecting a random edge from
G
q
. The hiding property implies that any two connected vertices x and y have the same degree
d(x) = d(y). Therefore each connected component of G
q
is a regular graph. Now we show that
such graphs have a relatively large matching.
Lemma 4.6 (Large matchings in regular graphs). Let G be any graph with v vertices such that
the vertices have degree at least one and each connected component of G is regular. Then G has a
matching of size at least v/4.
Proof. By the Vising theorem each connected component of G can be properly colored with +1
colors where is the degree of the vertices of that component. Since each color forms a matching,
therefore each component of G with u vertices has a matching of size at least
u
2(+1)
u/4.
Therefore G has a matching of size at least v/2.
Let M be the matching of size [W[/4 in G guaranteed by Lemma 4.6. The sender samples
a random set T W by choosing each w W with probability 10/
[W[. Each edge of the

matching M gets covered by T with probability at least 100/[W[. Therefore with probability at
least 1 (1 100/[W[)
[W[/4
> 1 2
25
> 99/10 at least on of the edges in M gets covered.
Now we let q, the message of the receiver, also be chosen according to its distribution. For each
such q, when we construct the graph G
q
, the random set T covers one of the edges of G
q
with
probability at least 99/100. Therefore, with probability at least 9/10 over the choice of T, the set
29
T has the property that: with probability at least 9/10 over the choice of q, at least one of the
edges of G
q
is covered by T. We call such T a good set.
On the other hand by Markov inequality with probability at least 9/10, the size of T is bounded
by 100
[W[. Therefore by a union bound with probability at least 8/10, T is both a good set and
also of size at most 100
[W[. This set T can be used by the sender to break the binding of ,
because with probability at least 9/10 over the rst message q of the receiver, the sender is able to
send a message a (corresponding to the edge covered by T) which determines two elements in the
set T as the output of the protocol.
Now we study 3-message protocols. If we add one more message q
1
from the receiver to to the
sender (in addition to the the 2-messages in the protocols studied above), the last message of the
receiver does not restrict the senders cheating power, because the set of messages that the sender
can claim to be his message does not depend on the last message of the sender.
Now suppose the protocol has three messages where the sender starts the interaction. In this
case, the rst message of the sender a
0
might decrease the space of possible values for w which are
consistent with a
0
. Now the sender xes a value a
0
for his rst message. Let W
t
be the set of
values for w which are consistent with a
0
. By using the same attack above (for the protocols which
start with a
0
), the sender can still nd a set T of size at most 100
[W
t
[ < 100
[W[ to break the

binding of .
4.2 A 1-round ILS
Theorem 4.7 (A 1-round ILS). There exists an ecient bit-ILS
1R
which is 2
n/10
-secure and has
only one round of interaction in the commitment phase.
Before proving Theorem 4.7 we need to develop some basis tools.
Thus we also get the following lemma, whose proof is immediate.
Lemma 4.8. For n > m let / be the family of n m Boolean matrices as follows. To get a
uniform member of A, choose the rst n m rows all at random, and take the last m rows to be
an independently chosen random member of full rank m. Then for any 0 = x 0, 1
n
, it holds
that Pr
A.
[xA = 0] 2
m
(and equivalently for any x
1
= x
2
0, 1
n
and y 0, 1
m
, it holds
that Pr
A.
[x
1
A = x
2
A] 2
m
).
Proof. (of Theorem 4.7) We use the following construction for the ILS
1R
.
Construction 4.9 (A 1-round ILS). Suppose b 0, 1 is the private message given to sender and
the oracle (S, ), and suppose R is the receiver. Let m = 3n/4. Below we associate 0, 1
n
with
the integers [0, 2
n
) and all additions and subtractions below are modulo 2
n
.
The commitment phase of
1R
:
1. Sender S chooses a 0, 1
n
at random. Let f
b
be the function: f
b
(x) = 1 i a x < a+2
m
,
and let f
1b
be the zero function over 0, 1
n
. The locking oracle will be the combination of
the two functions = (f
0
[f
1
) (indexed by the rst bit of the query to ).
2. Receiver R samples A / from the family of matrices of Lemma 4.8 and sends A to S.
3. Sender S checks that the last m rows of A are independent, and if so he sends h = aA to the
receiver R.
30
The decommitment phase of
1R
:
1. Sender S sends (b, a) to the receiver R.
2. Receiver R does the following checks and rejects if any of them does not hold.
(a) Check that aA = h.
(b) Check that f
1b
(a) = 0, and f
b
(a) = 1.
(c) For each i [0, m], sample 10n random points from [a, a +2
i
) and check that f
b
(x) = 1
for all of them, and also sample 10n random points from (a 2
i
, a 1] and check that
f
b
(x) = 0 for all of them
Now we study the properties of the ILS
1R
.
Completeness is immediate.
Binding. As a mental experiment we pretend that the randomness used during the decommitment
phase by R is chosen in the decommitment phase (rather than in the beginning of the commitment
phase).
For a xed locking oracle , Let X
0
(resp. X
1
) be the set of possible values of a that sender
S can send to the receiver R as the decommitment of b = 0 (resp. b = 1) and get accepted in the
decommitment phase with probability at least 2
2n
. We prove that by the end of the commitment
phase, with probability at least 1 2
n/8
, it holds that [X
0
[ = 0 or [X
1
[ = 0 which means that
the sender has only one way to decommit the value b and get accepted with probability more than
2
2n
. But now if we choose the receivers randomness in the commitment phase, since there are at
most 2
n+1
possible values for (b, a), it follows by a simple average argument that with probability
at least 1 2
2nn1
over the commitment phase, the prover gets committed to only one possible
value for (b, a) which he can use to pass the decommitment phase successfully.
Claim 4.10. X
0
X
1
= .
Proof. If a X
0
X
1
. Then when a is used as the decommitment of 0, in Step 2b of the decom-
mitment phase the receiver R checks that f
0
(a) = 1, f
1
(a) = 0. On the other hand in the case of
decommitting to 1, receiver R checks that f
b
(a) = 0, f
1b
(a) = 1, but they cant both hold at the
same time.
Claim 4.11. It holds that [X
0
[ 2
nm
and [X
1
[ 2
nm
.
Proof. We show that if a, a
t
X
0
then [a a
t
[ 2
m
(and this would show that X
0
2
n
/2
m
).
Assume on the contrary that a
t
< a and aa
t
< 2
m
. Let i [1, m] be such that 2
i1
aa
t
< 2
i
.
Then by the pigeonhole principle ether at least half of ([a
t
, a]) are zero or at least half of the values
([a
t
, a]) are one. Without loss of generality let assume that at least half of ([a
t
, a]) is zero. In this
case at least 1/4 of the values ([[a
t
, a
t
+2
i
)]) are zero. But then by Step 2c of the decommitment
phase (0, a
t
) will be accepted with probability at most (3/4)
10n
< 2
2n
, and therefore a
t
X
0
which is a contradiction.
Claim 4.12. With probability at least 1 2
(n)
over the choice of A, it holds that [X
0
[ = 0 or
[X
1
[ = 0.
31
Proof. Fix any pair a
0
X
0
and a
1
X
1
, we know that a
0
= a
1
. Therefore, Pr
A
[a
0
A = a
1
A] =
Pr
A
[(a
0
a
1
)A = 0] 2
m
. Claim 4.11 yields that there are at most 2
nm
2
nm
such pairs, so by
using a union bound, with probability at least 1 2
m
2
2n2m
= 1 2
2n3m
over the choice of A, it
holds that X
0
AX
1
A = which implies that if the sender sends any hash value h, the consistency
check of Step 2a of the decommitment phase either makes [X
0
[ = 0 or [X
1
[ = 0.
As we said before Claim 4.12 implies that with probability 1 poly(n) 2
2n3m
= 1 poly(n)
2
n/4
1 2
n/8
over the interaction in the commitment phase the sender gets bound to a xed
b 0, 1 to which he can decommit successfully.
Hiding. Suppose receiver R can ask at most u 2
n/8
queries from the locking oracle . We
claim that before sending the matrix A, all of receiver Rs queries to are answered zero with
probability at least 1 2
n/4
. To see why, think of Z
2
n as being divided into 2
nm
= 2
n/4
equal
intervals such that a is the beginning of one of them. Since receiver R asks up to 2
n/8
queries,
before sending the matrix Z, he will ask a query from the interval beginning with a with probability
at most 2
n/8
/2
n/4
= 2
n/8
. Therefore (up to 2
n/8
statistical distance in the experiment) we can
assume that the matrix A is chosen by receiver R independently of a.
After receiving h, the information that the receiver R knows about a is that it satises the
equation aA = h. If we choose and x the rst n m bits of (a potential) a, then the remaining
bits are determined uniquely because the last m rows of A are full rank. It means that for every
y [0, 2
nm
) there is a unique solution for a in the interval [y2
m
, y2
m
+ 2
m
), and they are all
equally probable to be the true answer from the receivers point of view.
Now again we claim that (although there are 2
m
nonzero points in f
b
) all the queries that the
receiver R asks from f
b
are answered 0 with probability at least 12
n/8
. Let Z = z [ zA = h be
the set of possible values for a. For z Z, let I(z) = [z, z+2
m
). We claim that no x 0, 1
n
can be
in I(z) for three dierent zs from Z. To see why, let z
1
< z
2
< z
3
and that x I(z
1
)I(z
2
)I(z
3
).
But now the interval [y2
m
, y2
m
+ 2
m
), containing z
2
separates z
1
and z
3
, and so z
3
z
1
> 2
m
.
Therefore I(z
1
) I(z
3
) = which is a contradiction. So, if the receiver R asks u queries from
f
b
, he can ask queries from I(z)s for at most 2u dierent zs (out of 2
nm
many of them). As a
mental experiment assume that a is chosen from Z after the receiver R asked his queries, it holds
that I(a) will be an interval that the receiver R never asked any query from with probability at
least 1 u/2
nm
1 2
n/8
. Therefore with probability at least 1 2
n/9
all of receiver Rs
queries during the commitment phase will be answered zero. But putting the oracle queries aside,
the hash value h does not carry any information about the bit-message b and therefore the scheme
is (1 2
n/8
)-hiding.
Equivocability. Let be the view of an arbitrary receiver

R after the commitment phase. Let
(A, h) be the matrix sent by

R and the hash value received from S, and let (x
1
, y
1
), . . . , (x
t
, y
t
) be
the oracle query/answer pairs asked from f
b
and described in (where b is the input given to the
sampler algorithm Sam). For each x
i
let Z
i
= z [ y
i
I(z) zA = h be the set of possible values
for a which y
i
falls into I(z), and recall that Z = z [ zA = h. (As we said before, since the last
m rows of A are independent, [Z
i
[ 2 for all i.) Note that y
i
= 0 if and only if a Z
i
. Therefore
the set of possible values for a is W = Z
y
i
,=0
Z
i
`
y
i
=0
Z
i
. Thus the sampler Sam simply outputs
a random element of W as the value for a. This can be done eciently since any candidate for a
(and in particular the members of W) can be identied by their rst nm bits, and the simulator
32
is given the list
y
i
=0
Z
i
of impossible values for a which is of length O(t), and therefore the verier
can nish the sampling in time poly([[) poly(t) which is allowed.
4.3 Noninteractive Locking Schemes Cannot Be Ecient
By a noninteractive locking scheme (NLS), we mean an ILS where the commitment phase is nonin-
teractive and sender S only participates in the decommitment phase. Note that an ecient locking
scheme by denition uses poly(n)-sized circuits to implement the locking oracle , and therefore
can have at most poly(n) entropy. In this section we show that there exist no ecient NLS with
super-polynomial security.
Since we are going to prove that NLSs cannot be ecient, we need to deal with unbounded
senders. Thus we can no longer assume that the decommitment phase is only a message (b, r
S
) sent
to the receiver, because the randomness r
S
used by the sender can be exponentially long. Therefore
to prove the strongest possible negative result, we allow the decommitment phase of a NLS to be
interactive.
The following theorem clearly implies Part 2 of Theorem 4.1.
Theorem 4.13. Let = (S, , R) be any NLS for message space 0, 1 in which the function of
the locking oracle has Shannon entropy at most H()
uq
1000
when the committed bit b is chosen
at random b 0, 1. Let u be an upper bound on the number of oracle queries to asked by the
receiver R in the decommitment phase. Then either of the following holds:
Violation of binding: There is a xed locking oracle , and a sender strategy

S such that
when is used as the locking orale, for both b = 0 and b = 1,

S can decommit successfully
with probability at least 4/5.
Violation of hiding: There exists an unbounded receiver

R who can guess the random bit
b 0, 1 used by (S, ) with probability at least 4/5 by asking at most u queries to the locking
oracle .
Intuition behind Theorem 4.13. Our main tool in proving Theorem 4.13 is the notion of
canonical entropy learner (EL) introduced in Denition 4.14. Roughly speaking, EL is an ecient-
query (computationally unbounded) algorithm which learns a randomized function f (with an oracle
access to f) under the uniform distribution assuming that f has a bounded amount of entropy.
EL proceeds by choosing to ask one of the unbiased queries of f at any step and stop if such
queries do not exist. An unbiased query x is one whose answer f(x) is not highly predictable with
the current knowledge gathered about f by EL. Whenever EL chooses to ask a query it learns
non-negligible entropy of f, and thus the process will stop after poly(n) steps. On the other hand,
when EL stops, all the remaining queries are biased and thus will have a predictable answer over
the randomness of f. We prove that either the receiver is able to nd out the secret message of the
sender (in an NLS) by running the EL algorithm, or otherwise if by the end of the learning phase
still part of the entropy left in the locking oracle is hiding the secret message, then a malicious
prover can plant at least two dierent messages in the locking oracle in such a way that it can
decommit to successfully.
Notation. In the following, for clarity, we use bold letters to denote random variables and use
the non-bold version of the bold variables to denote the samples of that random variable: x x.
33
Denition 4.14 (Canonical entropy learner). Suppose f is a random variable with the support
set f [ f : 0, 1
n
0, 1 of all Boolean functions dened over n bits of input. The canonical
entropy learner EL
f
is an oracle algorithm with access to f which asks its queries as follows. At

any time there is a set Q of query/answer pairs that EL
f
knows about f . Then if there is any new

query x (outside of Q) for which Pr[f (x) = 0 [ Q] 1 (in which case we call x an -unbiased
query of f with respect to Q) then EL
f
asks the lexicographically rst such x. EL

f
continues asking
as long as there is any -unbiased queries left. We call a query x (1 )-biased (with respect to
Q), if it is not -unbiased.
Lemma 4.15. Suppose < 1/2 and let the random variable Q be the set of query/answer pairs
that EL
f
learns when interacting with f . Then it holds that E[[Q[] H(f )/ where H() is the
Shannon entropy.
Proof. When x is an -unbiased query of f with respect to Q, then conditioned on Q, f (x) has
Shannon entropy at least H(f (x) [ Q) log(1/) +(1) log(1/(1)) > log(1/) > . Suppose
x
1
, . . . , x
[Q[
are the queries asked by EL
f
and x
[Q[+1
, . . . , x
2
n are the remaining queries not asked
by EL
f
in the lexicographic order, and suppose Q

i
is the set containing the pairs of the queries
x
1
, . . . , x
i
joint with their answers. Since the information about x
1
, . . . , x
i
and f (x
1
), . . . , f (x
i
) is
encoded in Q
i1
, therefore it holds that H(f ) =
i[2
n
]
H(f (x
i
) [ Q
i1
). Note that
H(f (x
i
) [ Q
i1
) = Pr[[Q
i
[ i]H(f (x
i
) [ Q
i1
[Q
i
[ i) + Pr[[Q
i
[ < i]H(f (x
i
) [ Q
i1
[Q
i
[ < i) .
We claim that H(f (x
i
) [ Q
i1
[Q
i
[ i) . The reason is that we are conditioning on the
cases of Q
i1
which determine x
i
as an -unbiased point (and we do not condition on any more
information). Therefore it holds that
H(f ) =
i[2
n
]
H(f (x
i
) [ Q
i1
)
i[2
n
]
Pr[[Q
i
[ i]H(f (x
i
) [ Q
i1
[Q
i
[ i)
i[2
n
]
Pr[[Q
i
[ i] = E[[Q[],
and so E[[Q[] H(f )/.
Now we turn to proving Theorem 4.13.
Proof. (of Theorem 4.13)
For simplicity, and without loss of generality, we assume that the oracle is Boolean and is
only dened over inputs of length n.
The attack of

R is as follows. The receiver runs the canonical entropy learner EL
f
with =
1/100u over the (random) function of the oracle (where the randomness of comes from the
randomness r
S
shared with the sender which includes the random bit b 0, 1). Recall that the
receiver cannot ask more than u queries. We dene Q
u
to be the set of query/answer pairs that the
receiver (who asks at most u oracle queries) learns about . It always holds that Q
u
Q where Q
is the set of query/answer pairs that EL
f
would learn without stopping after u queries. We call a

set T of query/answer pairs for predicting if there exists c 0, 1 such that Pr[b = c [ T] 9/10.
Let Q
u
be the value sampled by the random variable Q
u
and Q be the value sampled by the random
variable Q. There are two possibilities.
34
(1) There is a possible Q
u
(as a value of Q
u
) where Q
u
is not predicting and Q = Q
u
(i.e. there
is no -unbiased query conditioned on Q
u
).
(2) All possible values of Q
u
(as the result of the receivers learning algorithm) are either pre-
dicting or Q = Q
u
.
In the following we prove that Case (1) implies the violation of binding and Case (2) implies
the violation of hiding according to Theorem 4.13.
Case (1). First suppose that Case (1) holds. In particular there is a possible value Q as the
canonical entropy learners knowledge about such that Q is not predicting, namely:
1/10 < Pr[b = 0 [ Q] < 9/10 and 1/10 < Pr[b = 1 [ Q] < 9/10 .
Also note that conditioned on Q all the points x out of Q are (1)-biased and thus have a unique
likely answer. Namely for each x there is l
x
such that Pr[(x) = l
x
[ Q] < 1/100u. Since Q is
not predicting, for all x it holds that:
Pr[(x) = l
x
[ Q b = 0] =
Pr[(x) = l
x
b = 0 [ Q]
Pr[b = 0 [ Q]
<
Pr[(x) = l
x
[ Q]
1/10
< 1/10u .
(The same also holds if we condition on b = 1.) Therefore in addition to Q, if we condition on
b = 0 or b = 1, still all the points in are (1 1/10u)-biased.
Now we show that the binding property could be violated by a malicious sender and oracle
(
S, ). Consider the following cheating strategy:

1. Distribution of : Sample two oracles along with their (possibly exponentially long) ran-
domness (
0
, r
0
), (
1
, r
1
) according to the distributions (
0
, r
0
) (, r
S
[ Q b = 0) and
(
1
, r
1
) (, r
S
[ Q b = 1) and dene the oracle as follows.
If
0
(x) =
1
(x) = l
x
, then (x) =
0
(x) =
1
(x).
If
0
(x) = l
x
but
1
(x) = l
x
, then (x) =
0
(x).
If
1
(x) = l
x
but
0
(x) = l
x
, then (x) =
1
(x).
If
0
(x) =
1
(x) = l
x
, then (x) =
0
(x) =
1
(x).
2. The algorithm of

S: To decommit to b = 0, the sender

S announces b = 0 and uses r
0
as the randomness of S to interact in the decommitment phase. To decommit to b = 1,

S
acts similarly by announcing b = 1 and using the randomness r
1
in its interaction of the
decommitment phase.
Claim 4.16. If the sender generates the locking oracle (from
0
,
1
) as above and decommits to
zero by announcing 0 and using the randomness r
0
in the decommitment phase, then the receiver
will accept the interaction with probability at least 9/10.
Proof. After running the decommitment to zero, we call the experiment a defeat if the receiver asks
any query x such that
1
(x) = l
x
, and will call it a win otherwise. Note that if the experiment is
a win, then the receiver will accept the decommitment because all of the answers he gets for his
queries from will agree with
0
.
35
Now consider another experiment in which is again generated exactly the same as above, but
now
0
is used during the decommitment phase. It is clear that now the receiver will accept, but
again, we will call the experiment a defeat if the receiver asks any query x (from
0
) such that
1
(x) = l
x
.
We claim that the probability that the rst experiment is a defeat is exactly the same as that of
the second experiment. The reason is that, although the receiver in general behaves dierently in
the two experiments, the dierence starts by asking a query x such that
1
(x) = l
x
, and otherwise
all the answers given to to the receiver will be the same between and
0
.
Now we claim that the probability of defeat in the second experiment is less than 1/10. It would
nish the proof since in that case the probability of defeat in the rst experiment also will be less
than 1/10, and therefore the receiver will accept in the rst experiment with probability more than
9/10.
In the second experiment we can pretend that
1
is sampled after the verication is done using
the oracle
0
. The reason is that the behavior of the receiver is dened only based on
0
, while
1
is
only used to determine whether or not the experiment ends in defeat. So suppose X = x
1
, . . . , x
u
be the queries of the receiver before sampling

1
. Then for each one of x
i
X it holds that
Pr[
1
(x) = l
x
] < 1/10u and by the union bound, the probability that for at least one of the x X,
we get
1
(x) = l
x
is less than 1/10.
By symmetry, the same argument shows that if is generated as above and the sender pretends
that
1
is in the oracle and decommits to b = 1 (by using r
1
) the process leads to the accept of the
receiver R with probability more than 9/10.
We call a xed ( , r
0
, r
1
) generated as above a good sample for b = 0 if the decommitment of

S
to b = 0 as above leads to accept with probability at least 4/5. A simple average argument shows
that the sampled ( , r
0
, r
1
) is good for b = 0 with probability more than 1/2. A similar argument
shows that the sampled ( , r
0
, r
1
) is also good for b = 1 with probability more than 1/2. By the
pigeonhole principle there is a xed ( , r
0
, r
1
) which is both good for b = 0 and b = 1. Using this
( , r
0
, r
1
) the sender can decommit to both b = 0 and b = 1 and succeed with probability at least
4/5.
Case (2). If Case (2) holds, then we claim that the receiver R can guess the bit b with probability
at least 4/5. The reason is that by Lemma 4.15 it holds that E[[Q[] H()/ u/10. Therefore
by Markov inequality, with probability at least 9/10 it holds that [Q[ u in which case Q
u
= Q.
Moreover since Case (2) holds, whenever Q = Q
u
, then Q is predicting and the receiver R can
guess b correctly with probability at least 9/10. Therefore the receiver R would guess b correctly
with probability at least (9/10)(9/10) > 4/5 which is a violation of hiding according to Theorem
4.13.
5 The Impossibility of Oblivious Transfer
In this section we prove that in the stateless token model, there is no statistically secure protocol for
Oblivious Transfer (OT), when the only limitation on malicious parties is being bounded to make
polynomially many queries to the tokens. We rst dene the (bit) oblivious transfer functionality.
For simplicity we use a denition with completeness one, but our negative result easily extends to
protocols with imperfect completeness.
36
The stateless token model. In the stateless (tamper-proof hardware) token model, two (com-
putationally unbounded) interactive algorithms A and B will interact with the following extra
feature to the standard model. Each party at any time during the protocol can construct a circuit
T and put it inside a token and send the token T to the other party. The party receiving the
token T will have oracle access to T and is limited to ask poly(n) number of queries to the token.
The parties can exchange poly(n) number of tokens during the interaction. The stateless token
model clearly extends the IPCP model in which there is only one token sent from the prover to the
verier in the beginning of the game. Therefore proving any impossibility result in the stateless
token model clearly implies the same result for the the IPCP model. It is easy to see that without
loss of generality the parties can avoid sending explicit messages to each other and can only use
tokens (with messages planted inside the tokens) to simulate all the classical communication with
the tokens.
Denition 5.1 (Oblivious Transfer). A protocol (S, R) for oblivious transfer (in the standard or
the token model), consists of a sender S and a receiver R. The parties both receive 1
n
where n is
the security parameter. The sender S holds the secret input (x
0
, x
1
), x
i
0, 1, and the receiver R
holds the input i 0, 1. At the end of the protocol, the receiver outputs y where (with probability
one) it holds that y = x
i
. We dene the following security measures.
Receivers security: This property guarantees that the sender is not able to nd out which
of x
0
and x
1
is read by the receiver. Formally, for any malicious sender

S who asks poly(n)
token queries and outputs j, it holds that Pr
i|0,1
[i = j] 1/2 + neg(n).
Senders security: This property guarantees that no receiver can read both of x
0
and
x
1
. Formally, for any malicious receiver

R who asks poly(n) token queries, with probability
1 neg(n) the view v
R
of

R satises either of the following:
Pr
(x
0
,x
1
)|0,1
2
[x
0
= 0 [ v
R
] =
1
2
neg(n) or Pr
(x
0
,x
1
)|0,1
2
[x
1
= 0 [ v
R
] =
1
2
neg(n).
Oblivious transfer by semi-honest parties. If one of the parties is semi-honest (i.e. runs
the protocol honestly, and only remembers its view for further o-line investigation), then in fact
unconditionally secure OT is possible in the stateless token model. If the receiver is honest, then
the protocol is simply a token T sent from the sender which encodes T(0) = x
0
, T(1) = x
1
. The
receiver will read T(i) to learn x
i
. Moreover it is well known that secure OT in one direction implies
the existence of secure OT in the other direction, so if the sender is semi-honest unconditionally
secure OT is possible in the stateless token model.
In this section we prove that statistically secure OT is impossible in the stateless token model, if
both parties are slightly more malicious than just being semi-honest. Roughly speaking, we dene
the notion of curious parties who run the original protocol (honestly), but will ask more queries
from the tokens along the way.
6
We will prove that for any protocol (A, B) aiming to implement
OT, there are curious extensions of the original parties (A
cur
, B
cur
) who break the security of the
protocol. More formally we dene curious parties as follows.
6
The term honest but curious is sometimes used equivalent to semi-honest. Our notion is dierent from
both of them because a curious party deviates from the protocol slightly by learning more but emulates the original
protocol honestly.
37
Denition 5.2. Let (A, B) be a two party protocol in the token model. We call the protocol A
cur
a curious extension of A, if A
cur
runs the same protocol as A, but at any point during the protocol
it might ask arbitrary queries from tokens sent from B. We call A
cur
ecient, if it asks only poly(n)
queries totally. By Q
Acur
we denote the set of triples representing total query/answer information
that A
cur
gathers about the tokens it receives, and we use Q
A
to denote only the query/answers
for the underlying emulated algorithm A (and so Q
A
Q
Acur
).
We will prove the following theorem.
Theorem 5.3 (No unconditional OT from stateless tokens). Let (S, R) be any protocol for the
oblivious transfer in the stateless token model. Then there are curious extensions (S
cur
, R
cur
) to
the original algorithms where (S
cur
, R
cur
) (and thus (S, R)) is not a secure protocol for oblivious
transfer even when the inputs are random. More formally either of the following holds:
Violation of senders security: When the sender S chooses x
0
and x
1
at random from
0, 1 and interacts with R
cur
, then R
cur
can nd out both of x
0
and x
1
with probability at
least 51/100.
Violation of receivers security: When the receiver R chooses i 0, 1 at random and
interacts with S
cur
, then S
cur
can guess i correctly with probability at least 51/100.
In the following section we rst show that any protocol (S, R) with the following sampling
condition can not implement OT securely (Lemma 5.5). The sampling condition is that one can
sample the randomness of the receiver R conditioned on the view of the sender S. This sampling
condition extends the accessible entropy notion introduced by Haitner et al [HHRS07] to the
token model (in an information theoretic way) and is equivalent to saying that the entropy of the
receiver is accessible. Then we show (Theorem 5.8) that for any protocol (S, R), there is a curious
extension S
cur
, R
cur
where almost all the entropy is accessible, and this will prove Theorem 5.3.
Notation. In the following, for clarity, we use bold letters to denote random variables and use
the non-bold version of the bold variables to denote the samples of that random variable: x x.
For example r
A
will denote the randomness of Alice as a random variable and r
A
denotes the actual
randomness used by Alice.
5.0.1 Breaking oblivious transfer by accessing the entropy
In the standard model of interaction (without tokens) all the information exchanged between two
parties is represented in the transcript of the interaction. This means that information theoreti-
cally, an unbounded Bob can sample from r (r
B
[ ): his own space of randomness conditioned
on what Alice knows about it (which is the transcript of the protocol ) and vice versa. So informa-
tion theoretically Bob is not committed to anything more than what Alice knows about him (but
of course Bob might not be able to sample from this distribution eciently). Roughly speaking if
the sampling r
B
(sup(r
B
) [ ) can be done eciently at any time during the protocol, [HHRS07]
calls such protocol one with accessible entropy.
The fact that in the standard model unbounded parties can access all the entropy makes un-
conditional oblivious transfer to be impossible in this model. The reason is that at the end of the
protocol, either the sender S can nd out which bit is read by the receiver R by sampling from
r (r
R
[ ), or otherwise a sample from r (r
R
[ ) will reveal either of the inputs x
0
, x
1
with
38
probability 1/2 and thus Bob can nd out both of them by taking enough number of samples.
We will formalize this argument in the case of token model in Lemma 5.5 below.
In the token model, however, the information exchanged between the parties is not shared
by them. Namely, the set Q
A
(see Denition 5.2) captures the information that the algorithm
A gathers from the tokens he has received from the other party B, and this set is dierent from
Q
B
. Moreover, it might be impossible for A to nd out Q
B
exactly. Therefore if we consider
= (Q
A
, Q
B
) to be the transcript of the protocol in the token model, Alice and Bob each know
part of , and this makes the above argument (for the impossibility of OT) fail. In fact, as we
said, if either of the parties is semi-honest, then unconditional OT is possible in the stateless token
model.
The following denition generalizes the notion of accessible entropy to the token model (from
an information theoretic perspective).
Denition 5.4 (Accessible entropy in the token model). Let (A, B) be a protocol in the token
model between Alice and Bob. We say the entropy of Bob can be (1 )-accessed if there is a
sampling algorithm Sam
B
as follows. Sam
B
receives a possible view for Bob (r, Q) as input and
outputs another possible view for Bob (r
t
, Q
t
) with the following property: With probability at
least 1 over the choice of (r
A
, r
B
) (r
A
, r
B
), if Q
A
, Q
B
denote to the information that Alice
and Bob has gathered from the tokens at any time during the execution of the protocol, it holds
that
SD((r
B
, Q
B
[ r
A
, Q
A
), Sam
B
(r
B
, Q
B
)) .
We say that B has inaccessible entropy, if the entropy of B is not (1 )-accessible.
Comments about Denition 5.4 .
One can dene a computational version of Denition 5.4 in the standard model where Sam
B
is
ecient and given it samples from a distribution which is -close to (r
B
[ ). It can be shown
that an interactive algorithm B has non-negligible inaccessible entropy in this denition if and only
if B has non-negligible inaccessible entropy according to the denition of [HHRS07].
[HHRS07] shows that in the standard computational setting non-negligible inaccessible entropy
implies statistically hiding commitments. We shall point out that in the stateless token model, as
we will see, if both parties are curious enough, then almost all the entropy can be accessed, but
as we saw in Theorem 4.1 unconditionally secure commitment schemes does exist. The dierence
between the standard computational model of interaction and the token model is that in the
standard computational model the sampled r (r
B
[ ) can be used (by a potentially malicious
Bob) as a witness that Bob is running the protocol appropriately and even be used to continue the
protocol without being caught by Alice, but in the token model a sampled r = Sam
B
(r
B
, Q
B
) might
contradict the future queries of Alice to the tokens she that is holding from Bob. The fact that Alice
can caught Bobs claim by asking more token queries is highly used in our both Constructions 4.4
and 4.9 of ILSs. In fact, if one denes a simple commitment scheme as one where the receiver is not
allowed to ask token queries during the decommitment phase, then a similar argument to Lemma
5.5 below shows that simple commitment schemes imply (non-negligible) inaccessible entropy, and
therefore unconditional simple commitments are impossible to achieve in the stateless token model.
Lemma 5.5 (Oblivious transfer needs inaccessible entropy). Let (S, R) be a protocol for random
oblivious transfer where the senders inputs x
0
, x
1
are part of r
S
and receivers input i is part of
39
r
B
. If (S, R) has perfect completeness and the entropy of the receiver R can be 0.99-accessed, then
either of the following holds:
Violation of senders security: When the sender S interacts with R, then R can nd out
both of x
0
and x
1
correctly with probability at least 51/100.
Violation of receivers security: When the receiver R chooses i 0, 1 at random and
interacts with S, then S can guess i correctly with probability at least 51/100.
Proof. We show that if Sam
R
1-accesses the entropy, then either of the security failures above
holds with probability at least 53/10. Using the actual Sam
R
(which 0.99-accesses the entropy) will
change the success probability of the attacks by at most 2/100 which still remain at least 51/100.
So in the following we assume that Bob also can sample from the distribution (r
R
[ r
S
, Q
S
) where
by Q
S
we denote the nal set of query/answers that the sender learns about the receivers tokens.
We call (r
S
, Q
S
) a predicting pair, if either Pr[i = 0 [ r
S
, Q
S
] 9/10, or Pr[i = 1 [ r
S
, Q
S
] 9/10.
Now there are two possible cases:
Pr[(r
S
, Q
S
) is predicting] 1/10: Then the sender can predict i by probability at least
1/2 +1/10 > 53/10 as follows: Whenever (r
S
, Q
S
) is predicting, use the predicted value, and
whenever it is not use a random guess. This violates the security of the receiver.
Pr[(r
S
, Q
S
) is predicting] 1/10: Therefore, with probability at least 9/10 (r
S
, Q
S
) is not
predicting. For a non-predicting (r
S
, Q
S
), by sampling (r
t
R
, Q
t
R
) (r
R
, Q
R
[ r
S
, Q
S
) we get
either of the cases i = 0 or i = 1 with probability at last 1/10. By the assumed perfect
completeness of the protocol the output of the sampled (r
t
R
, Q
t
B
) is equal to x
i
. Note that
sender can sample from (r
R
, Q
R
[ r
S
, Q
S
) by using the sampler Sam
R
. When (r
S
, Q
S
) is not
predicting, by sampling n samples (r
t
R
, Q
t
R
) (r
R
, Q
R
[ r
S
, Q
S
), the receiver can nd both
of x
0
and x
1
with probability 1 neg(n). Therefore, since (r
S
, Q
S
) is not predicting with
probability 9/10, the receiver can nd both inputs of the sender with probability at least
(9/10) (9/10 neg(n)) > 53/100.
5.0.2 Curious extensions who access the entropy
In this section we dene a specic curious extension to the protocols in the stateless token model
which we call canonical curious extensions and prove that almost all the entropy of such protocols
can be accessed. Roughly speaking, a canonical curious extension of an interactive algorithm is a
curious extension of the original protocol where the parties ask their extra token queries according
to the canonical entropy learner of Denition 4.14. Each time that an unbiased query q is asked,
it reveals a noticeable amount of information about the other partys private randomness. By the
same argument as Lemma 4.15, since the entropy H(r
A
) +H(r
B
) poly(n) is bounded, by asking
only ecient number of queries one can learn enough information to predict the answer to any other
(xed) query to the tokens. In particular, the answer to the query that is going to be asked in the
emulation of the original protocol will be predictable, so we can ignore asking such queries and use
the predicted answers in the emulation of the original protocol. We call the new protocol which
uses the predicted values an ideal protocol (A
id
, B
id
) which will simulate the original protocol
(A, B) up to 1/poly(n) statistical distance.
40
Finally, the main point is that in the ideal protocol the parties know exactly what the other
party knows about them! The proof uses induction. Assuming that Alice and Bob both know
(Q
A
id
, Q
B
id
), they can nd out which queries are -unbiased from Alices and Bobs point of view.
When Alice is asking such a query Bob knows the query and its answer (since it is from a token
generated by Bob) and vice versa. Therefore, (r
A
id
, Q
A
id
) will determine Q
B
id
and (r
B
id
, Q
B
id
) will
determine Q
A
id
and in a sense we are back to the standard model where the transcript is known to
both parties, and thus all the entropy can be accessed!
It will be easier for us to rst dene the ideal experiment Ideal and then dene how the canonical
curious parties behave.
Denition 5.6 (Ideal experiment.). Let (A, B) be a protocol in the stateless token model. The
protocol (A
id
, B
id
) will depend on (A, B) and will be executed in the experiment Ideal as follows.
Randomness: (A
id
, B
id
) will use the same randomness (r
A
, r
B
) and will (try to) emulate
(A, B).
Set of token query/answers: (A
id
, B
id
) will inductively update the sets Q
A
id
and Q
B
id
which encode the information they have gathered from the other partys tokens so far.
Mutual Knowledge: A crucial point is that Q
A
id
and Q
B
id
will be known to both Alice and
Bob inductively. Namely, A
id
can nd out the updates to the set Q
B
id
without B
id
explicitly
revealing that information to A
id
and vice versa. How this condition holds and how the
emulation of (A, B) is done is claried next.
Emulation: Suppose during the emulation we are at a time where A needs to ask the query
q
0
from a token T. Instead of doing so, A
id
runs the canonical entropy learner of Denition
4.14 over the tokens (T
B
1
, . . . , T
B
i
) that he holds from Bob. Namely, A
id
considers the uniform
distribution of (r
A
, r
B
) consistent with the transcript of the interaction: (Q
A
id
, Q
B
id
). Note
that, by inductions assumption A
id
knows Q
B
id
as well. Now if there is any query q to
any of the tokens (T
B
1
, . . . , T
B
i
) sent from Alice such that q is -unbiased, then A
id
asks the
lexicographically rst such query q
1
and updates Q
A
id
. We stress that since B
id
knows also
Q
A
id
, he is also able to nd the query q
1
, and moreover since this query is asked to one of
the tokens that Bob has generated, B
id
knows the answer as well. So Bob also knows the
update to the set Q
A
id
the same as Alice. When A
id
is done with the learning phase before
asking q
0
, it not ask the query q
0
, but rather will use the likely answer l
q
0
which is uniquely
determined by the updated (Q
A
id
, Q
B
id
) (but of course l
q
0
might be dierent from the actual
solution provided by the token). B
id
will emulate B similarly.
Now we dene the experiment CanCur in which a canonical curious extension of the protocol
(A, B) is dened.
Denition 5.7 (Canonical curious extensions). Let (A, B) be a two party protocol in the stateless
token model. A Canonical Curious extension of A denoted by A
cc
receives two parameters : the
curiosity parameter and u: the upper bound on the number of extra queries asked by A. A
cc
acts
in the experiment CanCur as follows:
A
cur
runs the algorithm A with randomness r
A
and emulates the interaction of A with B.
The set Q
A
denotes the set of token query/answers corresponding to this emulation.
41
A
cur
also keeps updating a set of token query/answers Q
A
id
by pretending that it is being
executed in the experiment Ideal. A
cur
stops asking more extra queries (i.e. the queries out
of Q
A
) whenever [Q
A
id
[ = u. Note that in CanCur (as opposed to CanCur), A
cc
does ask the
emulated queries of A from the tokens and uses the answer for further computations.
The total token queries/answer knowledge of A
cur
is encoded in Q
Acur
= Q
A
Q
A
id
.
Now we prove the following theorem showing that by taking small enough, one can access
almost all the entropy of (A
id
, B
id
) eciently.
Theorem 5.8 (Canonical curious parties can access the entropy). Let (A, B) be a protocol in the
stateless token model between Alice and Bob where they totally ask k = poly(n) number of queries
to the tokens exchanged. For a given = 1/poly(n) let be such that = 2(k +
k) and let
u =
[r
A
[
k
2
. If is used as the curiosity parameter and u is used as the upper-bound parameter, then
the entropy of B
cc
in (A
cc
, B
cc
) is (1 )-accessible.
Note that Theorem 5.8 and Lemma 5.5 together imply Theorem 5.3 as a corollary.
Intuition. Roughly speaking Theorem 5.8 follows from the following facts:
1. Entropy is accessible in Ideal: The entropy of A
id
is 1-accessible, because Q
A
id
and Q
B
id
are known to both parties at any time during the protocol.
2. Parties are ecient in Ideal: By Lemma 4.15 A
id
on average asks at most H(r
B
)/ =
[r
B
[/ poly(n) number queries.
3. Ideal and CanCur are close: As long as the likely answers used by A
id
and B
id
for the
emulation of (A, B) are correct, the two experiments Ideal and CanCur are exactly the same.
Let WG (Wrong Guess) be the event that one of these likely answers used is incorrect. By
denition, he probability that WG happens at any particular query in Ideal is at most , and
therefore the probability of WG is bounded by k. By taking small enough we can make
k arbitrary small.
The formal proof follows.
Proof. (of Theorem 5.8) The sampling algorithm Sam
B
in CanCur will perform the sampling by
simply pretending that it is being used in the experiment Ideal (by ignoring Q
B
and only using
Q
B
id
and r
B
). We will show that with probability 1 over (r
A
, r
B
) the sampler Sam
B
will sample
-close to the right distribution all along the execution of CanCur.
As a mental experiment, we sample (r
A
, r
B
) (r
A
, r
B
) and run both of the experiments CanCur
and Ideal in parallel with the same randomness (r
A
, r
B
). We use the notation Pr
cc
[] to denote the
probability of an event in CanCur and use Pr
id
[] to denote the probability of an event in Ideal.
Let WG
i
to be the event in the experiments CanCur and Ideal that holds i the ith query q
i
asked by Alice or Bob in is not the likely answer, and dene the event WG =
i
WG
i
.
We modify CanCur slightly and let the size of Q
A
id
and Q
B
id
to grow beyond u. Our proof
will take care of this issue indirectly. By this change, it is easy to see that as long as WG does
not happen the experiments CanCur and Ideal are exactly the same. In particular it holds that
Pr
cc
[WG] = Pr
id
[WG]. Since (r
A
, r
B
) determines the whole execution of the experiments CanCur
42
and Ideal we can talk about the event WG(r
A
, r
B
), and Pr
(r
A
,r
B
)
[WG] is the same in CanCur and
Ideal.
The following claim shows that by taking small enough CanCur and Ideal will become statis-
tically close.
Claim 5.9. It holds that Pr
(r
A
,r
B
)
[WG] k.
Proof. If show that Pr
id
[WG
i
] the claim follows by union bound over i [k]. But Pr
id
[WG
i
]
holds by the denition of the experiment Ideal and -unbiased queries.
We call (r
A
, r
B
) a good sample if the following conditions hold when (r
A
, r
B
) is used to run the
experiments:
1. WG does not happen.
2. [Q
B
id
[ and [Q
B
id
[ does not pass the upper limit u.
3. At any time during the execution if Q
A
id
, Q
B
id
, Q
Acc
, and Q
Bcc
denote the set of query/answers
in the both experiments in that moment it holds that
Pr
id
[WG happened before [ Q
A
id
, Q
B
id
]
k and
Pr
cc
[WG happened before [ Q
Acc
, Q
Bcc
]
k.
Claim 5.10. Pr[(r
A
, r
B
) is good ] 1 .
Proof. By Claim 5.9 the rst property holds with probability at least 1 k.
By Lemma 4.15 and using the Markov inequality the second property holds in Ideal with prob-
ability at least 1 k. So both properties 1 and 2 hold with probability at least 1 2k.
We use Lemma 2.3 with the following parameters X = (r
A
, r
B
), F = WG, Z
i
= (Q
A
id
, Q
B
id
)
where (Q
A
id
, Q
B
id
) their value at the ith moment and p =
k. Now Lemma 2.3 implies that the

third property holds for Ideal (and similarly for CanCur) with probability at least 1
k.
Therefore all the properties hold for a random (r
A
, r
B
) with probability at least 12k2
k =
1 .
Suppose the sampled (r
A
, r
B
) is a good one. Then, by the st property, all along the execution
CanCur and Ideal will be the same. The second property will guarantee the ecaciously with respect
to the upper bound u.
Now suppose Sam
B
is run over the input (r
B
, Q
Bcc
) at an arbitrary moment during the execution
of the system. By the rst property, the sampler Sam
B
will conclude the correct Q
Acc
. Therefore
Sam
B
will sample exactly according to (r
B
id
, Q
A
id
[ r
A
id
, Q
A
id
) in Ideal. By the third property the
probability that WG has happened before is at most
k in either of CanCur or Ideal. Finally

we note that if one samples (r
B
, Q
Bcc
) conditioned on (Q
A
id
, Q
B
id
) and conditioned on WG, the
samples have the same distribution in Ideal and CanCur. This means that if (r
A
, r
B
) is good, the
sampler Sam
B
will sample 2
k < -close to the right distribution. This nishes the proof that
Sam
B
(1 )-accesses the entropy of A
cc
in (A
cc
, B
cc
).
43
6 Unconditional UC Secure Computation: Encapsulating Tokens
inside Tokens
6.1 The Model
First we dene the functionality T
enc
that models the fact that the parties can put any number of
received tokens inside a new one. The idea of T
enc
, described in Figure 1, is to model the following
real-world functionality: party P
i
sends a stateless token M to party P
j
. This stateless token may
have encapsulated inside it a number of other stateless tokens which P
i
received from other parties
(such encapsulated tokens subsequently become unavailable to P
i
after sending out M). Since the
token is stateless, P
j
can run M multiple times on inputs of its choice. While running, M can access
its internal tokens in a black box way by querying any of them any number of times. Thus, T
enc
saves the description of the oracle machines it gets from a party in create messages, and lets the
other party run them multiple times. Each machine is uniquely identied by a machine identier
mid.
Functionality T
enc
T
enc
is parameterized by a polynomial p() and an implicit security parameter .
Create Upon receiving (create, sid, P
i
, P
j
, mid, M, List) from P
i
, where M is an Oracle
machine, do:
1. If any of the tokens specied in List is marked unavailable or does not have P
i
as the
recipient, do nothing. Else, mark all tokens in List as unavailable. (This step ensures
that a received token cannot be used in constructing multiple other tokens.)
2. Send (create, sid, P
i
, P
j
, mid) to P
j
.
3. Store (P
i
, P
j
, mid, M, List).
Execute Upon receiving (run, sid, P
i
, mid, msg) from P
j
, nd the unique stored tuple
(P
i
, P
j
, mid, M). If no such tuple exists or if this token is marked unavailable, do noth-
ing. (This step ensures that a received token cannot be queried after it has been used up
in constructing another token.)
Run M(msg). While running if M makes a query specifying mid, check if mid is in List
associated with M. If not, output .
Else, evaluate the machine mid on the given query recursively and supply the response to
M. Let out be the output of M (out = if the entire computation does not halt in p(k)
steps). Send (sid, P
i
, mid, out) to P
j
.
Figure 1: Ideal functionality for stateless tokens with encapsulation
44
6.2 Construction for Unconditional UC Secure Computation
We rst show how to construct an unconditional UC secure commitment scheme COM in the token
encapsulation model described above. We then present a construction for unconditional UC secure
OT building on the commitment scheme COM. This in turn implies the existence of unconditional
general UC secure computation by invoking the results from [IPS08, Kil88].
Unconditional UC Secure Commitment The committer Alice wishes to commit to a bit b
to the receiver Bob. We build upon the interactive locking scheme in Section 4. We can get a
commitment scheme in the stateless hardware token model using an interactive locking scheme
where the sender is the committer and the locking oracle is implemented using a stateless hardware
token. We call this commitment scheme com. The commit phase of our commitment scheme COM
proceeds as follows:
Bob rst generates a random string r 0, 1
k
and uses the commitment scheme com to
commit r to Alice.
Alice breaks the bit b into k pairs of 2-out-of-2 random shares. That is, for all i [k], Alice
picks b
0
i
and b
1
i
at random such that b
0
i
b
1
i
= b. Now i, j, Alice commits b
j
i
to Bob using
the commitment scheme com.
Alice further construct a token T as follows. Alice puts her entire state in T including all
tokens received from Bob, the input and randomness and the protocol transcript so far. The
functionality of T is described in the next step.
The token T expects as input from Bob a string r
t
that Bob committed to in the rst step
along with the decommitment to r
t
(i.e., the randomness he used to commit to r
t
in the rst
step). T veries that the decommitment is valid by possibly querying the encapsulated tokens
Alice received from Bob in the rst step. If the check fail, T outputs . Otherwise, i [k],
T outputs b
r
[i]
i
and the decommitment to b
r
[i]
i
(where r
t
[i] represents the i-th bit of the string
r
t
).
Bob queries T with the string r and its decommitment and gets in return, i [k], b
r[i]
i
and
the decommitment to b
r[i]
i
. Bob veries all the decommitments (by possibly querying the
tokens he received from Alice in the second step. Bob aborts and rejects the commitment in
case any of the decommitments is found invalid.
The decommitment phase for COM simply consists of Alice revealing b
j
i
and its decommitment
i [k], j 0, 1 along with the bit b. Bob veries that all the decommitments are valid and that
i, b
0
i
b
1
i
= b. If so, Bob accepts the decommitment to bit b and rejects otherwise.
Proof Sketch. The above protocol can be shown to be UC secure using standard techniques.
Below we only provide the main idea behind the proof and defer the details to the full version.
Corrupted Committer: In this case, the simulator Sim works by extracting the input of the
committer and sending it to the ideal trusted functionality. This can be done using the following
idea. The simulator runs the commit phase honestly with the committer. At the end of the commit
phase, Sim utilizes the equivocability property of the interactive locking scheme to make additional
45
queries to the token T and get a valid response (thus enabling him to extract b). In other words,
Sim chooses a random string r
1
and sends a decommitment to r
1
. Sim uses the simulator associated
with the equivocability property of ILS to generate such a valid decommitment to r
1
(and answer
the queries made by T to the encapsulated token). If T gives a valid answer, Sim computes the
committed bit b (and sends it to the ideal functionality). Else, Sim tries again with another random
string. Sim will terminate in expected polynomial time since T gave a valid response on the rst
(honest) query made by Sim.
Corrupted Receiver: In this case, Sim executes the commitment phase honestly and commits
to a random bit. At the start of the decommit phase, Sim gets the bit b to be decommitted to from
the ideal functionality. Then Sim, for each of the k pair of shares, chooses the unopened share to
be such that the XOR of the two shares equals b. Next, Sim uses the equivocability property of
the interactive locking scheme to decommit all his commitments (in step 2 of the protocol) to the
appropriate shares as chosen.
Unconditional UC Secure Oblivious Transfer The sender Alice has the input strings (s
0
, s
1
)
while the receiver Bob has the selection bit c. The OT protocol proceeds as follows:
Bob commits to its selection bit c using the commitment scheme COM.
Alice constructs a token G as follows. Alice puts her entire state in G including all to-
kens received from Bob, the input and randomness and the protocol transcript so far. The
functionality of G is described in the next step.
The token G expects as input from Bob a string c
t
that Bob committed to in the rst step
along with the decommitment to c
t
(i.e., the randomness he used to commit to c
t
in the rst
step). G veries that the decommitment is valid by possibly querying the encapsulated tokens
Alice received from Bob in the rst step. If the check fail, G outputs . Otherwise, G outputs
the string s
c
.
Bob queries G with the string c and its decommitment and gets in return s
c
as his output of
the protocol. If G aborts without giving a response, Bob takes 0 to be received output.
Proof Sketch. We consider the following two cases separately.
Corrupted Sender: In this case, the simulator Sim works by extracting the input strings of
the sender and sending them to the ideal trusted functionality. This can be done as follows. Sim
commits to a random choice bit in the rst step and receives the token G. Sim then simply uses
the equivocation property of the commitment scheme COM to query the token G on both 0 and
1 as the choice bits and get the response (if G aborts in any query, Sim takes 0 to be response).
Sim then sends the two extracted strings to the ideal functionality.
Corrupted Receiver: In this case, Sim simply extracts the choice bit c of the receiver in the
rst step. This can be done by using the simulator associated with the commitment scheme COM.
Sim then sends the extracted choice bit c to the trusted functionality and gets the output s
c
. Sim
then picks s
c
at random and honestly prepares the token G with s
c
, s
c
as the input strings.
46
References
[AH91] William Aiello and Johan Hastad. Statistical zero-knowledge languages can be recog-
nized in two rounds. J. Comput. Syst. Sci., 42(3):327345, 1991.
[ALM
+
98] Sanjeev Arora, Carsten Lund, Rajeev Motwani, Madhu Sudan, and Mario Szegedy.
Proof verication and the hardness of approximation problems. J. ACM, 45(3):501
555, 1998.
[AS98] Sanjeev Arora and Shmuel Safra. Probabilistic checking of proofs: A new characteri-
zation of np. J. ACM, 45(1):70122, 1998.
[BFL90] Laszlo Babai, Lance Fortnow, and Carsten Lund. Non-deterministic exponential time
has two-prover interactive protocols. In FOCS, pages 1625, 1990.
[BGKW88] Michael Ben-Or, Sha Goldwasser, Joe Kilian, and Avi Wigderson. Multi-prover in-
teractive proofs: How to remove intractability assumptions. In STOC, pages 113131,
1988.
[BGW88] Michael Ben-Or, Sha Goldwasser, and Avi Wigderson. Completeness theorems for
non-cryptographic fault-tolerant distributed computation (extended abstract). In
STOC, pages 110, 1988.
[BM88] Laszlo Babai and Shlomo Moran. Arthur-Merlin games: A randomized proof system
and a hierarchy of complexity classes. Journal of Computer and System Sciences,
36:254276, 1988.
[Can01] Ran Canetti. Universally composable security: A new paradigm for cryptographic
protocols. In FOCS, pages 136145, 2001.
[CCD88] David Chaum, Claude Crepeau, and Ivan Damgard. Multiparty unconditionally secure
protocols (extended abstract). In STOC, pages 1119, 1988.
[CCM98] Christian Cachin, Claude Crepeau, and Julien Marcil. Oblivious transfer with a
memory-bounded receiver. pages 493502, 1998.
[CGGM00] Ran Canetti, Oded Goldreich, Sha Goldwasser, and Silvio Micali. Resettable zero-
knowledge (extended abstract). In STOC, pages 235244, 2000.
[CGS08] Nishanth Chandran, Vipul Goyal, and Amit Sahai. New constructions for UC secure
computation using tamper-proof hardware. In EUROCRYPT, pages 545562, 2008.
[CK88] Claude Crepeau and Joe Kilian. Achieving oblivious transfer using weakened security
assumptions (extended abstract). In FOCS, pages 4252, 1988.
[DFK
+
92] Cynthia Dwork, Uriel Feige, Joe Kilian, Moni Naor, and Shmuel Safra. Low commu-
nication 2-prover zero-knowledge proofs for np. In CRYPTO, pages 215227, 1992.
[DHRS04] Yan Zong Ding, Danny Harnik, Alon Rosen, and Ronen Shaltiel. Constant-round
oblivious transfer in the bounded storage model. In Theory of Cryptography, First
Theory of Cryptography Conference, TCC 2004, pages 446472, 2004.
47
[For89] Lance Fortnow. The complexity of perfect zero-knowledge. Advances in Computing
Research: Randomness and Computation, 5:327343, 1989.
[FRS88] Lance Fortnow, John Rompel, and Michael Sipser. On the power of multi-prover
interactive protocols. In Theoretical Computer Science, pages 156161, 1988.
[GIS
+
10] Vipul Goyal, Yuval Ishai, Amit Sahai, Ramarathnam Venkatesan, and Akshay Wadia.
Founding cryptography on tamper-proof hardware tokens. In TCC, 2010.
[GKR08a] Sha Goldwasser, Yael Tauman Kalai, and Guy Rothblum. One-time programs. In
CRYPTO, Lecture Notes in Computer Science, pages 3956. Springer, 2008.
[GKR08b] Sha Goldwasser, Yael Tauman Kalai, and Guy N. Rothblum. Delegating computation:
interactive proofs for muggles. In STOC, pages 113122, 2008.
[GMR89] Sha Goldwasser, Silvio Micali, and Charles Racko. The knowledge complexity of
interactive proof systems. SIAM Journal on Computing, 18(1):186208, 1989. Prelim-
inary version in STOC85.
[GMW91] Oded Goldreich, Silvio Micali, and Avi Wigderson. Proofs that yield nothing but their
validity or all languages in NP have zero-knowledge proof systems. Journal of the
ACM, 38(1):691729, 1991. Preliminary version in FOCS86.
[GO96] Oded Goldreich and Rafail Ostrovsky. Software protection and simulation on oblivious
rams. J. ACM, 43(3):431473, 1996.
[HHK
+
05] Iftach Haitner, Omer Horvitz, Jonathan Katz, Chiu-Yuen Koo, Ruggero Morselli,
and Ronen Shaltiel. Reducing complexity assumptions for statistically-hiding commit-
ment. In Advances in Cryptology EUROCRYPT 2005, pages 5877, 2005. See also
preliminary draft of full version, www.wisdom.weizmann.ac.il/
~
iftachh/papers/
SCfromRegularOWF.pdf.
[HHRS07] Iftach Haitner, Jonathan J. Hoch, Omer Reingold, and Gil Segev. Finding collisions
in interactive protocols A tight lower bound on the round complexity of statistically-
hiding commitments. In Proceedings of the 47th Annual Symposium on Foundations of
Computer Science (FOCS). IEEE Computer Society, 2007.
[HL08] Carmit Hazay and Yehuda Lindell. Constructions of truly practical secure protocols
using standardsmartcards. In ACM Conference on Computer and Communications
Security, pages 491500, 2008.
[HR07] Iftach Haitner and Omer Reingold. A new interactive hashing theorem. In IEEE
Conference on Computational Complexity, pages 319332, 2007. See also preliminary
draft of full version at the rst authors home page.
[HRVW09] Iftach Haitner, Omer Reingold, Salil P. Vadhan, and Hoeteck Wee. Inaccessible entropy.
In STOC, pages 611620, 2009.
[IPS08] Yuval Ishai, Manoj Prabhakaran, and Amit Sahai. Founding cryptography on oblivious
transfer - eciently. In David Wagner, editor, CRYPTO, volume 5157 of Lecture Notes
in Computer Science, pages 572591. Springer, 2008.
48
[IR89] Russell Impagliazzo and Steven Rudich. Limits on the provable consequences of one-
way permutations. In Proceedings of the 21st Annual ACM Symposium on Theory of
Computing (STOC), pages 4461. ACM Press, 1989.
[Kat07] Jonathan Katz. Universally composable multi-party computation using tamper-proof
hardware. In EUROCRYPT, Lecture Notes in Computer Science, pages 115128.
Springer, 2007.
[Kil88] Joe Kilian. Founding cryptography on oblivious transfer. In Proceedings of the 20th
Annual ACM Symposium on Theory of Computing (STOC), 988.
[KLR06] Kushilevitz, Lindell, and Rabin. Information-theoretically secure protocols and security
under composition. In STOC: ACM Symposium on Theory of Computing (STOC),
2006.
[Kol10] Vladimir Kolesnikov. Truly ecient string oblivious transfer using resettable tamper-
proof tokens. In TCC, pages 327342, 2010.
[KPT97] Joe Kilian, Erez Petrank, and Gabor Tardos. Probabilistically checkable proofs with
zero knowledge. In STOC: ACM Symposium on Theory of Computing (STOC), 1997.
[KR08] Yael Tauman Kalai and Ran Raz. Interactive PCP. In ICALP (2), pages 536547,
2008.
[LS95] Dror Lapidot and Adi Shamir. A one-round, two-prover, zero-knowledge protocol for
np. Combinatorica, 15(2):204214, 1995.
[Mau92] Ueli M. Maurer. Conditionally-perfect secrecy and a provably-secure randomized ci-
pher. J. Cryptology, 5(1):5366, 1992.
[MS08] Tal Moran and Gil Segev. David and Goliath commitments: UC computation for
asymmetric parties using tamper-proof hardware. In EUROCRYPT, pages 527544,
2008.
[NOVY98] Moni Naor, Rafail Ostrovsky, Ramarathnam Venkatesan, and Moti Yung. Perfect zero-
knowledge arguments for NP using any one-way permutation. Journal of Cryptology,
11(2):87108, 1998. Preliminary version in CRYPTO92.
[OVY93a] Rafail Ostrovsky, Ramarathnam Venkatesan, and Moti Yung. Fair games against an
all-powerful adversary. AMS DIMACS Series in Discrete Mathematics and Theoretical
Computer Science, pages 155169, 1993. Preliminary version in SEQUENCES91.
[OVY93b] Rafail Ostrovsky, Ramarathnam Venkatesan, and Moti Yung. Interactive hashing sim-
plies zero-knowledge protocol design. pages 267273, 1993.
[OW93] Rafail Ostrovsky and Avi Wigderson. One-way fuctions are essential for non-trivial
zero-knowledge. In ISTCS, pages 317, 1993.
[Rab81] M. O. Rabin. How to exchange secrets by oblivious transfer. TR-81, Harvard, 1981.
[RB89] Tal Rabin and Michael Ben-Or. Veriable secret sharing and multiparty protocols with
honest majority (extended abstract). In STOC, pages 7385, 1989.
49

Interactive Locking, Zero-Knowledge PCPS, and Unconditional Cryptography

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Interactive Locking, Zero-Knowledge PCPS, and Unconditional Cryptography

Uploaded by

Copyright:

Available Formats

Interactive Locking, Zero-Knowledge PCPs,

and Unconditional Cryptography

March 10, 2011

Microsoft Research, India, vipul@microsoft.com

Princeton University, mohammad@cs.princeton.edu. Supported by NSF grants CNS-0627526, CCF-0426582 and

Y and call X and Y -close whenever SD(X, Y ) .

V , runs in time poly(n),

V which is (n)-close to the view of

V consists of the randomness r

V consists of the rst i+1

V by asking queries of the form

to denote an oracle algorithm A accessing the oracle . For the

to ask multiple oracle

interacts with S in two phases:

` (for an arbitrary receiver

R simulates their senders and locking oracles while w

) be a k-round IHS with binding over the message

. Then there exists a bit-ILS = (S, , R) with a k-

while we keep the 2

[W[. Therefore for

[W[. Each edge of the

[W[ to break the

is an oracle algorithm with access to f which asks its queries as follows. At

knows about f . Then if there is any new

asks the lexicographically rst such x. EL

in the lexicographic order, and suppose Q

would learn without stopping after u queries. We call a

S, ). Consider the following cheating strategy:

be the queries of the receiver before sampling

k. Now Lemma 2.3 implies that the

k in either of CanCur or Ideal. Finally

You might also like